[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ We need to find why it breaks though, but yeah I think we can go forward with this patch of others agree. Can you open a separate bug for the failure you got ? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298898148 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ I meant my setup was unclean. I will try to reproduce here. Does master w/o this patch work properly against 4.4.4 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298889962 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ I've seen this once but thought it was a fluke due to my "unclean" master, as the following times it did not happen. Can you reproduce the error against 4.4.4 consistently ? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298886632 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ Turned out my master had some more relaxed permissions I added when developing the feature. I now have added a new function to just check for the host keys without asking for data that cannot be read with the identity we have available. This has been tested and seems to work correctly. Please check @stlaz """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298767350 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679
Author: simo5
Title: #679: Make sure remote hosts have our keys
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/679/head:pr679
git checkout pr679
From 0e70f02180e2ada8862fbd8d42a42f07a8cabbb9 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Fri, 31 Mar 2017 11:22:45 -0400
Subject: [PATCH] Make sure remote hosts have our keys
In complex replication setups a replica may try to obtain CA keys from a
host that is not the master we initially create the keys against.
In this case race conditions may happen due to replication. So we need
to make sure the server we are contacting to get the CA keys has our
keys in LDAP. We do this by waiting to positively fetch our encryption
public key (the last one we create) from the target host LDAP server.
Fixes: https://pagure.io/freeipa/issue/6838
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipaserver/install/custodiainstance.py | 28 +++-
ipaserver/secrets/kem.py | 12
2 files changed, 39 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index 6a61392..390576b 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -1,6 +1,6 @@
# Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license.
-from ipaserver.secrets.kem import IPAKEMKeys
+from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap
from ipaserver.secrets.client import CustodiaClient
from ipaplatform.paths import paths
from ipaplatform.constants import constants
@@ -18,6 +18,7 @@
import os
import stat
import tempfile
+import time
import pwd
@@ -122,6 +123,27 @@ def import_dm_password(self, master_host_name):
cli = self.__CustodiaClient(server=master_host_name)
cli.fetch_key('dm/DMHash')
+def __wait_keys(self, host, timeout=300):
+ldap_uri = 'ldap://%s' % host
+deadline = int(time.time()) + timeout
+root_logger.info("Waiting up to {} seconds to see our keys "
+ "appear on host: {}".format(timeout, host))
+
+konn = KEMLdap(ldap_uri)
+saved_e = None
+while True:
+try:
+return konn.check_host_keys(self.fqdn)
+except Exception as e:
+# log only once for the same error
+if not isinstance(e, type(saved_e)):
+root_logger.debug(
+"Transient error getting keys: '{err}'".format(err=e))
+saved_e = e
+if int(time.time()) > deadline:
+raise RuntimeError("Timed out trying to obtain keys.")
+time.sleep(1)
+
def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
# Fecth all needed certs one by one, then combine them in a single
# p12 file
@@ -129,6 +151,10 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
prefix = data['prefix']
certlist = data['list']
+# Before we attempt to fetch keys from this host, make sure our public
+# keys have been replicated there.
+self.__wait_keys(ca_host)
+
cli = self.__CustodiaClient(server=ca_host)
# Temporary nssdb
diff --git a/ipaserver/secrets/kem.py b/ipaserver/secrets/kem.py
index 28fb4d3..c1991c6 100644
--- a/ipaserver/secrets/kem.py
+++ b/ipaserver/secrets/kem.py
@@ -24,6 +24,7 @@
IPA_REL_BASE_DN = 'cn=custodia,cn=ipa,cn=etc'
IPA_KEYS_QUERY = '(&(ipaKeyUsage={usage:s})(memberPrincipal={princ:s}))'
+IPA_CHECK_QUERY = '(cn=enc/{host:s})'
RFC5280_USAGE_MAP = {KEY_USAGE_SIG: 'digitalSignature',
KEY_USAGE_ENC: 'dataEncipherment'}
@@ -78,6 +79,17 @@ def get_key(self, usage, principal):
jwk['use'] = KEY_USAGE_MAP[usage]
return json_encode(jwk)
+def check_host_keys(self, host):
+conn = self.connect()
+scope = ldap.SCOPE_SUBTREE
+
+ldap_filter = self.build_filter(IPA_CHECK_QUERY, {'host': host})
+r = conn.search_s(self.keysbase, scope, ldap_filter)
+if len(r) != 1:
+raise ValueError("Incorrect number of results (%d) searching for"
+ "public key for %s" % (len(r), host))
+return True
+
def _format_public_key(self, key):
if isinstance(key, str):
jwkey = json_decode(key)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ Nevermind I finally reproduced """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298750030 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ @stlaz just FYI, I am sking this info because I cannot reproduce locally with a single replica. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298748943 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ Can you please attach more of the logs before the failure ? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298734189 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#746][comment] KDC proxy URI records
URL: https://github.com/freeipa/freeipa/pull/746 Title: #746: KDC proxy URI records simo5 commented: """ We can probably defer. """ See the full comment at https://github.com/freeipa/freeipa/pull/746#issuecomment-298087667 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#746][comment] KDC proxy URI records
URL: https://github.com/freeipa/freeipa/pull/746 Title: #746: KDC proxy URI records simo5 commented: """ @MartinBasti In this case we need a way to tell the system what are the priorities and which protocols are enabled, priorities are important too, admins need to be able to change them as they see fit. """ See the full comment at https://github.com/freeipa/freeipa/pull/746#issuecomment-298037434 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#746][comment] KDC proxy URI records
URL: https://github.com/freeipa/freeipa/pull/746 Title: #746: KDC proxy URI records simo5 commented: """ I am not entirely sure we want to care for the cse where an admin disables KDC Proxy in an automatic fashion; otherwise we would also need to check if TCP or UDP are disabled and change that too. FreeIPA as a product enables TCP/UDP and proxy and an admin that wants to change this by manually changing configurations should also take care of manually changing the URI records in DNS I think. Just like they would need to change records in DNS if either TCP or UDP protocols were disabled. However if it is overly simple to detect and update records based on enabled protocols I am not against doing so. """ See the full comment at https://github.com/freeipa/freeipa/pull/746#issuecomment-298032999 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#742][+ack] Revert "Store GSSAPI session key in /var/run/ipa"
URL: https://github.com/freeipa/freeipa/pull/742 Title: #742: Revert "Store GSSAPI session key in /var/run/ipa" Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#743][+ack] [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa"
URL: https://github.com/freeipa/freeipa/pull/743 Title: #743: [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa" Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#742][-ack] Revert "Store GSSAPI session key in /var/run/ipa"
URL: https://github.com/freeipa/freeipa/pull/742 Title: #742: Revert "Store GSSAPI session key in /var/run/ipa" Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#742][+ack] Revert "Store GSSAPI session key in /var/run/ipa"
URL: https://github.com/freeipa/freeipa/pull/742 Title: #742: Revert "Store GSSAPI session key in /var/run/ipa" Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][comment] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd simo5 commented: """ The current patch moved the key in a place where apache cannot write, resulting in an ephemeral key that is thrown away each time apache is restarted/reloaded. """ See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-297701456 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][comment] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd simo5 commented: """ As I noted in the ticket: "At most you may want to store it in /var/lib/ipa/somewhere, but we do not want to break sessions (there are people using APIs from non-interactive scripts) just because you needed to restart a service/server quickly. These keys are considered long term keys, and should not be thrown away at each reboot." Let me also add that: 1. the directory needs to be writable by the apache user as the key is created the first time the server is started 2. only the apache user must be able to read this key """ See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-297701218 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][reopened] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Author: MartinBasti Title: #723: Store GSSAPI session key in /var/run/httpd Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/723/head:pr723 git checkout pr723 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][comment] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd simo5 commented: """ This patch is wrong please revert """ See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-297699615 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#738][comment] restore: restart gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/738 Title: #738: restore: restart gssproxy after restore simo5 commented: """ will a "systemctl reload gssproxy" do the right thing @frozencemetery ? """ See the full comment at https://github.com/freeipa/freeipa/pull/738#issuecomment-297543414 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#738][comment] restore: restart gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/738 Title: #738: restore: restart gssproxy after restore simo5 commented: """ The name of the project is GSS-Proxy, the package name is gssproxy. """ See the full comment at https://github.com/freeipa/freeipa/pull/738#issuecomment-297484796 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679
Author: simo5
Title: #679: Make sure remote hosts have our keys
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/679/head:pr679
git checkout pr679
From d81c6575847d5b4a772c0ca75736e2408d8fb244 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Fri, 31 Mar 2017 11:22:45 -0400
Subject: [PATCH] Make sure remote hosts have our keys
In complex replication setups a replica may try to obtain CA keys from a
host that is not the master we initially create the keys against.
In this case race conditions may happen due to replication. So we need
to make sure the server we are contacting to get the CA keys has our
keys in LDAP. We do this by waiting to positively fetch our encryption
public key (the last one we create) from the target host LDAP server.
Fixes: https://pagure.io/freeipa/issue/6838
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipaserver/install/custodiainstance.py | 31 ++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index 6a61392..5936151 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -1,6 +1,7 @@
# Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license.
-from ipaserver.secrets.kem import IPAKEMKeys
+from custodia.message.kem import KEY_USAGE_ENC
+from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap
from ipaserver.secrets.client import CustodiaClient
from ipaplatform.paths import paths
from ipaplatform.constants import constants
@@ -18,6 +19,7 @@
import os
import stat
import tempfile
+import time
import pwd
@@ -122,6 +124,29 @@ def import_dm_password(self, master_host_name):
cli = self.__CustodiaClient(server=master_host_name)
cli.fetch_key('dm/DMHash')
+def __wait_keys(self, host, timeout=300):
+ldap_uri = 'ldap://%s' % host
+principal = 'host/%s@%s' % (self.fqdn, self.realm)
+deadline = int(time.time()) + timeout
+root_logger.info("Waiting up to {} seconds to see our keys "
+ "appear on host: {}".format(timeout, host))
+
+konn = KEMLdap(ldap_uri)
+saved_e = None
+while True:
+try:
+konn.get_key(KEY_USAGE_ENC, principal)
+return
+except Exception as e:
+# log only once for the same error
+if not isinstance(e, type(saved_e)):
+root_logger.debug(
+"Transient error getting keys: '{err}'".format(err=e))
+saved_e = e
+if int(time.time()) > deadline:
+raise RuntimeError("Timed out trying to obtain keys.")
+time.sleep(1)
+
def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
# Fecth all needed certs one by one, then combine them in a single
# p12 file
@@ -129,6 +154,10 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
prefix = data['prefix']
certlist = data['list']
+# Before we attempt to fetch keys from this host, make sure our public
+# keys have been replicated there.
+self.__wait_keys(ca_host)
+
cli = self.__CustodiaClient(server=ca_host)
# Temporary nssdb
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#727][+ack] Regenerate ASN.1 code with asn1c 0.9.28
URL: https://github.com/freeipa/freeipa/pull/727 Title: #727: Regenerate ASN.1 code with asn1c 0.9.28 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#709][opened] Fix s4u2self with adtrust
URL: https://github.com/freeipa/freeipa/pull/709
Author: simo5
Title: #709: Fix s4u2self with adtrust
Action: opened
PR body:
"""
When ADtrust is installed we add a PAC to all tickets, during protocol
transition we need to generate a new PAC for the requested user ticket,
not check the existing PAC on the requestor ticket.
https://pagure.io/freeipa/issue/6862
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/709/head:pr709
git checkout pr709
From ee2c16a6dfeda15bebd29da73411deb23c7308dd Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Mon, 10 Apr 2017 15:32:54 -0400
Subject: [PATCH] Fix s4u2self with adtrust
When ADtrust is installed we add a PAC to all tickets, during protocol
transition we need to generate a new PAC for the requested user ticket,
not check the existing PAC on the requestor ticket.
https://pagure.io/freeipa/issue/6862
Signed-off-by: Simo Sorce <s...@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index cf1bd5b..00cc19c 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2117,6 +2117,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
struct ipadb_context *ipactx;
bool with_pac;
bool with_pad;
+bool make_ad = false;
int result;
krb5_db_entry *client_entry = NULL;
krb5_boolean is_equal;
@@ -2165,7 +2166,14 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
"currently not supported.");
}
-if (is_as_req && with_pac && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
+/* we need to create a PAC if we are requested one and this is an AS REQ,
+ * or we are doing protocol transition (s4u2self) */
+if ((is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) ||
+(flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
+make_ad = true;
+}
+
+if (with_pac && make_ad) {
/* Be aggressive here: special case for discovering range type
* immediately after establishing the trust by IPA framework */
if ((krb5_princ_size(context, ks_client_princ) == 2) &&
@@ -2188,9 +2196,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
if (kerr != 0 && kerr != ENOENT) {
goto done;
}
-}
-
-if (!is_as_req && with_pac) {
+} else if (with_pac && !is_as_req) {
/* find the existing PAC, if present */
kerr = krb5_find_authdata(context, tgt_auth_data, NULL,
KRB5_AUTHDATA_WIN2K_PAC, _auth_data);
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679
Author: simo5
Title: #679: Make sure remote hosts have our keys
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/679/head:pr679
git checkout pr679
From 5d9103248e510a3c64314fe59284a8420a6f3a67 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Fri, 31 Mar 2017 11:22:45 -0400
Subject: [PATCH] Make sure remote hosts have our keys
In complex replication setups a replica may try to obtain CA keys from a
host that is not the master we initially create the keys against.
In this case race conditions may happen due to replication. So we need
to make sure the server we are contacting to get the CA keys has our
keys in LDAP. We do this by waiting to positively fetch our encryption
public key (the last one we create) from the target host LDAP server.
Fixes: https://pagure.io/freeipa/issue/6838
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipaserver/install/custodiainstance.py | 25 -
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index 6a61392..d60276a 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -1,6 +1,7 @@
# Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license.
-from ipaserver.secrets.kem import IPAKEMKeys
+from custodia.message.kem import KEY_USAGE_ENC
+from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap
from ipaserver.secrets.client import CustodiaClient
from ipaplatform.paths import paths
from ipaplatform.constants import constants
@@ -18,6 +19,7 @@
import os
import stat
import tempfile
+import time
import pwd
@@ -122,6 +124,23 @@ def import_dm_password(self, master_host_name):
cli = self.__CustodiaClient(server=master_host_name)
cli.fetch_key('dm/DMHash')
+def __wait_keys(self, host, timeout=300):
+ldap_uri = 'ldap://%s' % host
+principal = 'host/%s@%s' % (self.fqdn, self.realm)
+deadline = int(time.time()) + timeout
+root_logger.info("Waiting up to {} seconds to see our keys "
+ "appear on host: {}".format(timeout, host))
+
+konn = KEMLdap(ldap_uri)
+while True:
+try:
+konn.get_key(KEY_USAGE_ENC, principal)
+return
+except Exception:
+if int(time.time()) > deadline:
+raise
+time.sleep(1)
+
def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
# Fecth all needed certs one by one, then combine them in a single
# p12 file
@@ -129,6 +148,10 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
prefix = data['prefix']
certlist = data['list']
+# Before we attempt to fetch keys from this host, make sure our public
+# keys have been replicated there.
+self.__wait_keys(ca_host)
+
cli = self.__CustodiaClient(server=ca_host)
# Temporary nssdb
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ Nevermind they are not duplicates. I'll fix the commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-291557263 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679
Author: simo5
Title: #679: Make sure remote hosts have our keys
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/679/head:pr679
git checkout pr679
From 23202d83b965df7d0a879ecde02b706beb6f90cc Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Fri, 31 Mar 2017 11:22:45 -0400
Subject: [PATCH] Make sure remote hosts have our keys
In complex replication setups a replica may try to obtain CA keys from a
host that is not the master we initially create the keys against.
In this case race conditions may happen due to replication. So we need
to make sure the server we are contacting to get the CA keys has our
keys in LDAP. We do this by waiting to positively fetch our encryption
public key (the last one we create) from the target host LDAP server.
Fixes: https://pagure.io/freeipa/issue/6688
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipaserver/install/custodiainstance.py | 25 -
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index 6a61392..d60276a 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -1,6 +1,7 @@
# Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license.
-from ipaserver.secrets.kem import IPAKEMKeys
+from custodia.message.kem import KEY_USAGE_ENC
+from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap
from ipaserver.secrets.client import CustodiaClient
from ipaplatform.paths import paths
from ipaplatform.constants import constants
@@ -18,6 +19,7 @@
import os
import stat
import tempfile
+import time
import pwd
@@ -122,6 +124,23 @@ def import_dm_password(self, master_host_name):
cli = self.__CustodiaClient(server=master_host_name)
cli.fetch_key('dm/DMHash')
+def __wait_keys(self, host, timeout=300):
+ldap_uri = 'ldap://%s' % host
+principal = 'host/%s@%s' % (self.fqdn, self.realm)
+deadline = int(time.time()) + timeout
+root_logger.info("Waiting up to {} seconds to see our keys "
+ "appear on host: {}".format(timeout, host))
+
+konn = KEMLdap(ldap_uri)
+while True:
+try:
+konn.get_key(KEY_USAGE_ENC, principal)
+return
+except Exception:
+if int(time.time()) > deadline:
+raise
+time.sleep(1)
+
def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
# Fecth all needed certs one by one, then combine them in a single
# p12 file
@@ -129,6 +148,10 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
prefix = data['prefix']
certlist = data['list']
+# Before we attempt to fetch keys from this host, make sure our public
+# keys have been replicated there.
+self.__wait_keys(ca_host)
+
cli = self.__CustodiaClient(server=ca_host)
# Temporary nssdb
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][opened] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679
Author: simo5
Title: #679: Make sure remote hosts have our keys
Action: opened
PR body:
"""
In complex replication setups a replica may try to obtain CA keys from a
host that is not the master we initially create the keys against.
In this case race conditions may happen due to replication. So we need
to make sure the server we are contacting to get the CA keys has our
keys in LDAP. We do this by waiting to positively fetch our encryption
public key (the last one we create) from the target host LDAP server.
Fixes: https://pagure.io/freeipa/issue/6688
Signed-off-by: Simo Sorce <s...@redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/679/head:pr679
git checkout pr679
From f51e478fb79cda153a6d0483369f0159088423fb Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Fri, 31 Mar 2017 11:22:45 -0400
Subject: [PATCH] Make sure remote hosts have our keys
In complex replication setups a replica may try to obtain CA keys from a
host that is not the master we initially create the keys against.
In this case race conditions may happen due to replication. So we need
to make sure the server we are contacting to get the CA keys has our
keys in LDAP. We do this by waiting to positively fetch our encryption
public key (the last one we create) from the target host LDAP server.
Fixes: https://pagure.io/freeipa/issue/6688
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipaserver/install/custodiainstance.py | 27 +--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index 6a61392..4d6e7ba 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -1,15 +1,17 @@
# Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license.
-from ipaserver.secrets.kem import IPAKEMKeys
+from custodia.message.kem import KEY_USAGE_ENC
+from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap
from ipaserver.secrets.client import CustodiaClient
from ipaplatform.paths import paths
from ipaplatform.constants import constants
from ipaserver.install.service import SimpleServiceInstance
-from ipapython import ipautil
+from ipapython import ipautil, ipaldap
from ipapython.ipa_log_manager import root_logger
from ipapython.certdb import NSSDatabase
from ipaserver.install import installutils
from ipaserver.install import ldapupdate
+from ipaserver.install import replication
from ipaserver.install import sysupgrade
from base64 import b64decode
from jwcrypto.common import json_decode
@@ -18,6 +20,7 @@
import os
import stat
import tempfile
+import time
import pwd
@@ -122,6 +125,22 @@ def import_dm_password(self, master_host_name):
cli = self.__CustodiaClient(server=master_host_name)
cli.fetch_key('dm/DMHash')
+def __wait_keys(self, host, timeout=300):
+ldap_uri = 'ldap://%s' % host
+principal = 'host/%s@%s' % (self.fqdn, self.realm)
+deadline = int(time.time()) + timeout
+
+result = None
+konn = KEMLdap(ldap_uri)
+while True:
+try:
+konn.get_key(KEY_USAGE_ENC, principal)
+return
+except Exception as e:
+if int(time.time()) > deadline:
+raise e
+time.sleep(1)
+
def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
# Fecth all needed certs one by one, then combine them in a single
# p12 file
@@ -129,6 +148,10 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
prefix = data['prefix']
certlist = data['list']
+# Before we attempt to fetch keys from this host, make sure our public
+# keys have been replicated there.
+sel.__wait_keys(ca_host)
+
cli = self.__CustodiaClient(server=ca_host)
# Temporary nssdb
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ I haven't tested this yet ... but what could possibily go wrong? :-) """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-290762100 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679
Author: simo5
Title: #679: Make sure remote hosts have our keys
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/679/head:pr679
git checkout pr679
From f2835bfcef51e10f05aa1f699e0a79206c55e554 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Fri, 31 Mar 2017 11:22:45 -0400
Subject: [PATCH] Make sure remote hosts have our keys
In complex replication setups a replica may try to obtain CA keys from a
host that is not the master we initially create the keys against.
In this case race conditions may happen due to replication. So we need
to make sure the server we are contacting to get the CA keys has our
keys in LDAP. We do this by waiting to positively fetch our encryption
public key (the last one we create) from the target host LDAP server.
Fixes: https://pagure.io/freeipa/issue/6688
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipaserver/install/custodiainstance.py | 29 +++--
1 file changed, 27 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index 6a61392..f560172 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -1,15 +1,17 @@
# Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license.
-from ipaserver.secrets.kem import IPAKEMKeys
+from custodia.message.kem import KEY_USAGE_ENC
+from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap
from ipaserver.secrets.client import CustodiaClient
from ipaplatform.paths import paths
from ipaplatform.constants import constants
from ipaserver.install.service import SimpleServiceInstance
-from ipapython import ipautil
+from ipapython import ipautil, ipaldap
from ipapython.ipa_log_manager import root_logger
from ipapython.certdb import NSSDatabase
from ipaserver.install import installutils
from ipaserver.install import ldapupdate
+from ipaserver.install import replication
from ipaserver.install import sysupgrade
from base64 import b64decode
from jwcrypto.common import json_decode
@@ -18,6 +20,7 @@
import os
import stat
import tempfile
+import time
import pwd
@@ -122,6 +125,24 @@ def import_dm_password(self, master_host_name):
cli = self.__CustodiaClient(server=master_host_name)
cli.fetch_key('dm/DMHash')
+def __wait_keys(self, host, timeout=300):
+ldap_uri = 'ldap://%s' % host
+principal = 'host/%s@%s' % (self.fqdn, self.realm)
+deadline = int(time.time()) + timeout
+root_logger.info("Waiting up to {} seconds to see our keys "
+ "appear on host: {}".format(timeout, host))
+
+result = None
+konn = KEMLdap(ldap_uri)
+while True:
+try:
+konn.get_key(KEY_USAGE_ENC, principal)
+return
+except Exception:
+if int(time.time()) > deadline:
+raise
+time.sleep(1)
+
def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
# Fecth all needed certs one by one, then combine them in a single
# p12 file
@@ -129,6 +150,10 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
prefix = data['prefix']
certlist = data['list']
+# Before we attempt to fetch keys from this host, make sure our public
+# keys have been replicated there.
+sel.__wait_keys(ca_host)
+
cli = self.__CustodiaClient(server=ca_host)
# Temporary nssdb
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679
Author: simo5
Title: #679: Make sure remote hosts have our keys
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/679/head:pr679
git checkout pr679
From cefe3dfb81d0a78072fa03c14e6265c261bae162 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Fri, 31 Mar 2017 11:22:45 -0400
Subject: [PATCH] Make sure remote hosts have our keys
In complex replication setups a replica may try to obtain CA keys from a
host that is not the master we initially create the keys against.
In this case race conditions may happen due to replication. So we need
to make sure the server we are contacting to get the CA keys has our
keys in LDAP. We do this by waiting to positively fetch our encryption
public key (the last one we create) from the target host LDAP server.
Fixes: https://pagure.io/freeipa/issue/6688
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipaserver/install/custodiainstance.py | 28 ++--
1 file changed, 26 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index 6a61392..38035b4 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -1,15 +1,17 @@
# Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license.
-from ipaserver.secrets.kem import IPAKEMKeys
+from custodia.message.kem import KEY_USAGE_ENC
+from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap
from ipaserver.secrets.client import CustodiaClient
from ipaplatform.paths import paths
from ipaplatform.constants import constants
from ipaserver.install.service import SimpleServiceInstance
-from ipapython import ipautil
+from ipapython import ipautil, ipaldap
from ipapython.ipa_log_manager import root_logger
from ipapython.certdb import NSSDatabase
from ipaserver.install import installutils
from ipaserver.install import ldapupdate
+from ipaserver.install import replication
from ipaserver.install import sysupgrade
from base64 import b64decode
from jwcrypto.common import json_decode
@@ -18,6 +20,7 @@
import os
import stat
import tempfile
+import time
import pwd
@@ -122,6 +125,23 @@ def import_dm_password(self, master_host_name):
cli = self.__CustodiaClient(server=master_host_name)
cli.fetch_key('dm/DMHash')
+def __wait_keys(self, host, timeout=300):
+ldap_uri = 'ldap://%s' % host
+principal = 'host/%s@%s' % (self.fqdn, self.realm)
+deadline = int(time.time()) + timeout
+root_logger.info("Waiting to see our keys appear on %s".format(host))
+
+result = None
+konn = KEMLdap(ldap_uri)
+while True:
+try:
+konn.get_key(KEY_USAGE_ENC, principal)
+return
+except Exception:
+if int(time.time()) > deadline:
+raise
+time.sleep(1)
+
def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
# Fecth all needed certs one by one, then combine them in a single
# p12 file
@@ -129,6 +149,10 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
prefix = data['prefix']
certlist = data['list']
+# Before we attempt to fetch keys from this host, make sure our public
+# keys have been replicated there.
+sel.__wait_keys(ca_host)
+
cli = self.__CustodiaClient(server=ca_host)
# Temporary nssdb
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#664][opened] Backport of client session storage patches
URL: https://github.com/freeipa/freeipa/pull/664
Author: simo5
Title: #664: Backport of client session storage patches
Action: opened
PR body:
"""
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/664/head:pr664
git checkout pr664
From 00457bdbb587aee442768582b24e5b29dfdafa10 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Tue, 14 Mar 2017 18:20:13 +0100
Subject: [PATCH 1/5] Python 3: Fix session storage
ctypes can only handle bytes, not text. Encode and decode all incoming
and outgoing text from UTF-8 to bytes.
Signed-off-by: Christian Heimes <chei...@redhat.com>
Reviewed-By: Simo Sorce <sso...@redhat.com>
---
ipapython/session_storage.py | 19 ++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
index 7fe17fb..bcf0947 100644
--- a/ipapython/session_storage.py
+++ b/ipapython/session_storage.py
@@ -104,6 +104,13 @@ def store_data(princ_name, key, value):
"""
Stores the session cookie in a hidden ccache entry.
"""
+if not isinstance(princ_name, bytes):
+princ_name = princ_name.encode('utf-8')
+if not isinstance(key, bytes):
+key = key.encode('ascii')
+if not isinstance(value, bytes):
+value = value.encode('utf-8')
+
context = krb5_context()
principal = krb5_principal()
ccache = krb5_ccache()
@@ -136,6 +143,11 @@ def get_data(princ_name, key):
"""
Gets the session cookie in a hidden ccache entry.
"""
+if not isinstance(princ_name, bytes):
+princ_name = princ_name.encode('utf-8')
+if not isinstance(key, bytes):
+key = key.encode('utf-8')
+
context = krb5_context()
principal = krb5_principal()
ccache = krb5_ccache()
@@ -152,7 +164,7 @@ def get_data(princ_name, key):
krb5_cc_get_config(context, ccache, principal, key,
ctypes.byref(data))
-return str(data.data)
+return data.data.decode('utf-8')
finally:
if principal:
@@ -169,6 +181,11 @@ def remove_data(princ_name, key):
"""
Removes the hidden ccache entry with the session cookie.
"""
+if not isinstance(princ_name, bytes):
+princ_name = princ_name.encode('utf-8')
+if not isinstance(key, bytes):
+key = key.encode('utf-8')
+
context = krb5_context()
principal = krb5_principal()
ccache = krb5_ccache()
From 6a456dd40c861cdc37359f67e24ef9bc3dfea053 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Wed, 22 Mar 2017 18:25:38 -0400
Subject: [PATCH 2/5] Avoid growing FILE ccaches unnecessarily
Related https://pagure.io/freeipa/issue/6775
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipapython/session_storage.py | 6 ++
1 file changed, 6 insertions(+)
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
index bcf0947..f208827 100644
--- a/ipapython/session_storage.py
+++ b/ipapython/session_storage.py
@@ -111,6 +111,12 @@ def store_data(princ_name, key, value):
if not isinstance(value, bytes):
value = value.encode('utf-8')
+# FILE ccaches grow every time an entry is stored, so we need
+# to avoid storing the same entry multiple times.
+oldvalue = get_data(princ_name, key)
+if oldvalue == value:
+return
+
context = krb5_context()
principal = krb5_principal()
ccache = krb5_ccache()
From afb87ae3b7e08e42f4bd2399f48a0f2c45012cb2 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Wed, 22 Mar 2017 18:38:22 -0400
Subject: [PATCH 3/5] Handle failed authentication via cookie
If cookie authentication fails and we get back a 401 see if we
tried a SPNEGO auth by checking if we had a GSSAPI context. If not
it means our session cookie was invalid or expired or some other
error happened on the server that requires us to try a full SPNEGO
handshake, so go ahead and try it.
Fixes https://pagure.io/freeipa/issue/6775
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipalib/rpc.py | 52
1 file changed, 32 insertions(+), 20 deletions(-)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 303b22a..f597ce0 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -586,22 +586,33 @@ def _handle_exception(self, e, service=None):
else:
raise errors.KerberosError(message=unicode(e))
-def get_host_info(self, host):
+def _get_host(self):
+return self._connection[0]
+
+def _remove_extra_header(self, name):
+for (h, v) in self._extra_headers:
+if h == name:
+self._extra_headers.remove((h, v))
+break
+
+def get_auth_info(self, use_cooki
[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes simo5 commented: """ Should I make a new PR for 4.5 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-289761195 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][synchronized] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649
Author: simo5
Title: #649: Session cookie storage and handling fixes
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/649/head:pr649
git checkout pr649
From 9fd0b4ce68daac2edbc38ccc743d4b7c1fafdf9d Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Wed, 22 Mar 2017 18:25:38 -0400
Subject: [PATCH 1/4] Avoid growing FILE ccaches unnecessarily
Related https://pagure.io/freeipa/issue/6775
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipapython/session_storage.py | 6 ++
1 file changed, 6 insertions(+)
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
index bcf0947..f208827 100644
--- a/ipapython/session_storage.py
+++ b/ipapython/session_storage.py
@@ -111,6 +111,12 @@ def store_data(princ_name, key, value):
if not isinstance(value, bytes):
value = value.encode('utf-8')
+# FILE ccaches grow every time an entry is stored, so we need
+# to avoid storing the same entry multiple times.
+oldvalue = get_data(princ_name, key)
+if oldvalue == value:
+return
+
context = krb5_context()
principal = krb5_principal()
ccache = krb5_ccache()
From 7653192d67de8d6b19259ece49f6c1d31f788665 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Wed, 22 Mar 2017 18:38:22 -0400
Subject: [PATCH 2/4] Handle failed authentication via cookie
If cookie authentication fails and we get back a 401 see if we
tried a SPNEGO auth by checking if we had a GSSAPI context. If not
it means our session cookie was invalid or expired or some other
error happened on the server that requires us to try a full SPNEGO
handshake, so go ahead and try it.
Fixes https://pagure.io/freeipa/issue/6775
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipalib/rpc.py | 52
1 file changed, 32 insertions(+), 20 deletions(-)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 303b22a..f597ce0 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -586,22 +586,33 @@ def _handle_exception(self, e, service=None):
else:
raise errors.KerberosError(message=unicode(e))
-def get_host_info(self, host):
+def _get_host(self):
+return self._connection[0]
+
+def _remove_extra_header(self, name):
+for (h, v) in self._extra_headers:
+if h == name:
+self._extra_headers.remove((h, v))
+break
+
+def get_auth_info(self, use_cookie=True):
"""
Two things can happen here. If we have a session we will add
a cookie for that. If not we will set an Authorization header.
"""
-(host, extra_headers, x509) = SSLTransport.get_host_info(self, host)
-
-if not isinstance(extra_headers, list):
-extra_headers = []
+if not isinstance(self._extra_headers, list):
+self._extra_headers = []
-session_cookie = getattr(context, 'session_cookie', None)
-if session_cookie:
-extra_headers.append(('Cookie', session_cookie))
-return (host, extra_headers, x509)
+# Remove any existing Cookie first
+self._remove_extra_header('Cookie')
+if use_cookie:
+session_cookie = getattr(context, 'session_cookie', None)
+if session_cookie:
+self._extra_headers.append(('Cookie', session_cookie))
+return
# Set the remote host principal
+host = self._get_host()
service = self.service + "@" + host.split(':')[0]
try:
@@ -616,18 +627,14 @@ def get_host_info(self, host):
except gssapi.exceptions.GSSError as e:
self._handle_exception(e, service=service)
-self._set_auth_header(extra_headers, response)
-
-return (host, extra_headers, x509)
+self._set_auth_header(response)
-def _set_auth_header(self, extra_headers, token):
-for (h, v) in extra_headers:
-if h == 'Authorization':
-extra_headers.remove((h, v))
-break
+def _set_auth_header(self, token):
+# Remove any existing authorization header first
+self._remove_extra_header('Authorization')
if token:
-extra_headers.append(
+self._extra_headers.append(
('Authorization', 'negotiate %s' % base64.b64encode(token).decode('ascii'))
)
@@ -651,18 +658,23 @@ def _auth_complete(self, response):
if self._sec_context.complete:
self._sec_context = None
return True
-self._set_auth_header(self._extra_headers, token)
+self._set_auth_header(token)
+return False
+elif response.status == 401:
+self.get_auth_info(
[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes simo5 commented: """ I should have addressed all comments. I did not comment on krb5_principal_compare() because I think that is obvious and the function definition also does not define an errcheck argument for it so it should be clear enough. """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-289060068 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][synchronized] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649
Author: simo5
Title: #649: Session cookie storage and handling fixes
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/649/head:pr649
git checkout pr649
From 9fd0b4ce68daac2edbc38ccc743d4b7c1fafdf9d Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Wed, 22 Mar 2017 18:25:38 -0400
Subject: [PATCH 1/4] Avoid growing FILE ccaches unnecessarily
Related https://pagure.io/freeipa/issue/6775
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipapython/session_storage.py | 6 ++
1 file changed, 6 insertions(+)
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
index bcf0947..f208827 100644
--- a/ipapython/session_storage.py
+++ b/ipapython/session_storage.py
@@ -111,6 +111,12 @@ def store_data(princ_name, key, value):
if not isinstance(value, bytes):
value = value.encode('utf-8')
+# FILE ccaches grow every time an entry is stored, so we need
+# to avoid storing the same entry multiple times.
+oldvalue = get_data(princ_name, key)
+if oldvalue == value:
+return
+
context = krb5_context()
principal = krb5_principal()
ccache = krb5_ccache()
From 7653192d67de8d6b19259ece49f6c1d31f788665 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Wed, 22 Mar 2017 18:38:22 -0400
Subject: [PATCH 2/4] Handle failed authentication via cookie
If cookie authentication fails and we get back a 401 see if we
tried a SPNEGO auth by checking if we had a GSSAPI context. If not
it means our session cookie was invalid or expired or some other
error happened on the server that requires us to try a full SPNEGO
handshake, so go ahead and try it.
Fixes https://pagure.io/freeipa/issue/6775
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipalib/rpc.py | 52
1 file changed, 32 insertions(+), 20 deletions(-)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 303b22a..f597ce0 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -586,22 +586,33 @@ def _handle_exception(self, e, service=None):
else:
raise errors.KerberosError(message=unicode(e))
-def get_host_info(self, host):
+def _get_host(self):
+return self._connection[0]
+
+def _remove_extra_header(self, name):
+for (h, v) in self._extra_headers:
+if h == name:
+self._extra_headers.remove((h, v))
+break
+
+def get_auth_info(self, use_cookie=True):
"""
Two things can happen here. If we have a session we will add
a cookie for that. If not we will set an Authorization header.
"""
-(host, extra_headers, x509) = SSLTransport.get_host_info(self, host)
-
-if not isinstance(extra_headers, list):
-extra_headers = []
+if not isinstance(self._extra_headers, list):
+self._extra_headers = []
-session_cookie = getattr(context, 'session_cookie', None)
-if session_cookie:
-extra_headers.append(('Cookie', session_cookie))
-return (host, extra_headers, x509)
+# Remove any existing Cookie first
+self._remove_extra_header('Cookie')
+if use_cookie:
+session_cookie = getattr(context, 'session_cookie', None)
+if session_cookie:
+self._extra_headers.append(('Cookie', session_cookie))
+return
# Set the remote host principal
+host = self._get_host()
service = self.service + "@" + host.split(':')[0]
try:
@@ -616,18 +627,14 @@ def get_host_info(self, host):
except gssapi.exceptions.GSSError as e:
self._handle_exception(e, service=service)
-self._set_auth_header(extra_headers, response)
-
-return (host, extra_headers, x509)
+self._set_auth_header(response)
-def _set_auth_header(self, extra_headers, token):
-for (h, v) in extra_headers:
-if h == 'Authorization':
-extra_headers.remove((h, v))
-break
+def _set_auth_header(self, token):
+# Remove any existing authorization header first
+self._remove_extra_header('Authorization')
if token:
-extra_headers.append(
+self._extra_headers.append(
('Authorization', 'negotiate %s' % base64.b64encode(token).decode('ascii'))
)
@@ -651,18 +658,23 @@ def _auth_complete(self, response):
if self._sec_context.complete:
self._sec_context = None
return True
-self._set_auth_header(self._extra_headers, token)
+self._set_auth_header(token)
+return False
+elif response.status == 401:
+self.get_auth_info(
[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes simo5 commented: """ Thank you @tiran @abbra all very good comments, I'll address soon all of them """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-289014748 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes simo5 commented: """ I aded a 4th patch to address the FILE ccache growth issue. It is a bit unorthodox but it works. Please review carefully and let me know if you are ok with this """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-21336 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][synchronized] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649
Author: simo5
Title: #649: Session cookie storage and handling fixes
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/649/head:pr649
git checkout pr649
From 9fd0b4ce68daac2edbc38ccc743d4b7c1fafdf9d Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Wed, 22 Mar 2017 18:25:38 -0400
Subject: [PATCH 1/4] Avoid growing FILE ccaches unnecessarily
Related https://pagure.io/freeipa/issue/6775
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipapython/session_storage.py | 6 ++
1 file changed, 6 insertions(+)
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
index bcf0947..f208827 100644
--- a/ipapython/session_storage.py
+++ b/ipapython/session_storage.py
@@ -111,6 +111,12 @@ def store_data(princ_name, key, value):
if not isinstance(value, bytes):
value = value.encode('utf-8')
+# FILE ccaches grow every time an entry is stored, so we need
+# to avoid storing the same entry multiple times.
+oldvalue = get_data(princ_name, key)
+if oldvalue == value:
+return
+
context = krb5_context()
principal = krb5_principal()
ccache = krb5_ccache()
From 7653192d67de8d6b19259ece49f6c1d31f788665 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Wed, 22 Mar 2017 18:38:22 -0400
Subject: [PATCH 2/4] Handle failed authentication via cookie
If cookie authentication fails and we get back a 401 see if we
tried a SPNEGO auth by checking if we had a GSSAPI context. If not
it means our session cookie was invalid or expired or some other
error happened on the server that requires us to try a full SPNEGO
handshake, so go ahead and try it.
Fixes https://pagure.io/freeipa/issue/6775
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipalib/rpc.py | 52
1 file changed, 32 insertions(+), 20 deletions(-)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 303b22a..f597ce0 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -586,22 +586,33 @@ def _handle_exception(self, e, service=None):
else:
raise errors.KerberosError(message=unicode(e))
-def get_host_info(self, host):
+def _get_host(self):
+return self._connection[0]
+
+def _remove_extra_header(self, name):
+for (h, v) in self._extra_headers:
+if h == name:
+self._extra_headers.remove((h, v))
+break
+
+def get_auth_info(self, use_cookie=True):
"""
Two things can happen here. If we have a session we will add
a cookie for that. If not we will set an Authorization header.
"""
-(host, extra_headers, x509) = SSLTransport.get_host_info(self, host)
-
-if not isinstance(extra_headers, list):
-extra_headers = []
+if not isinstance(self._extra_headers, list):
+self._extra_headers = []
-session_cookie = getattr(context, 'session_cookie', None)
-if session_cookie:
-extra_headers.append(('Cookie', session_cookie))
-return (host, extra_headers, x509)
+# Remove any existing Cookie first
+self._remove_extra_header('Cookie')
+if use_cookie:
+session_cookie = getattr(context, 'session_cookie', None)
+if session_cookie:
+self._extra_headers.append(('Cookie', session_cookie))
+return
# Set the remote host principal
+host = self._get_host()
service = self.service + "@" + host.split(':')[0]
try:
@@ -616,18 +627,14 @@ def get_host_info(self, host):
except gssapi.exceptions.GSSError as e:
self._handle_exception(e, service=service)
-self._set_auth_header(extra_headers, response)
-
-return (host, extra_headers, x509)
+self._set_auth_header(response)
-def _set_auth_header(self, extra_headers, token):
-for (h, v) in extra_headers:
-if h == 'Authorization':
-extra_headers.remove((h, v))
-break
+def _set_auth_header(self, token):
+# Remove any existing authorization header first
+self._remove_extra_header('Authorization')
if token:
-extra_headers.append(
+self._extra_headers.append(
('Authorization', 'negotiate %s' % base64.b64encode(token).decode('ascii'))
)
@@ -651,18 +658,23 @@ def _auth_complete(self, response):
if self._sec_context.complete:
self._sec_context = None
return True
-self._set_auth_header(self._extra_headers, token)
+self._set_auth_header(token)
+return False
+elif response.status == 401:
+self.get_auth_info(
[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes simo5 commented: """ The FILE ccache is still growing because we keep getting updated cookies (where the only thing that changes is the expiration date. """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-288859035 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#638][comment] ipalib/rpc.py: Fix session handling for KEYRING: ccaches
URL: https://github.com/freeipa/freeipa/pull/638 Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches simo5 commented: """ This PR has been obsoleted by #649 """ See the full comment at https://github.com/freeipa/freeipa/pull/638#issuecomment-288850585 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#638][closed] ipalib/rpc.py: Fix session handling for KEYRING: ccaches
URL: https://github.com/freeipa/freeipa/pull/638 Author: abbra Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/638/head:pr638 git checkout pr638 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes simo5 commented: """ Note I am still running tests, but I think the patchset is good for review already. """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-288850417 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][opened] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649
Author: simo5
Title: #649: Session cookie storage and handling fixes
Action: opened
PR body:
"""
This patchset improves the behavior of the client in various ways.
- Avoids unbounded growth of FILE ccaches
- Fix regression with session cookies updates not being retrievable with FILE
caches
- Fix client authentication to better handle servers that may decide our cookie
is not good anymore
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/649/head:pr649
git checkout pr649
From 9fd0b4ce68daac2edbc38ccc743d4b7c1fafdf9d Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Wed, 22 Mar 2017 18:25:38 -0400
Subject: [PATCH 1/3] Avoid growing FILE ccaches unnecessarily
Related https://pagure.io/freeipa/issue/6775
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipapython/session_storage.py | 6 ++
1 file changed, 6 insertions(+)
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
index bcf0947..f208827 100644
--- a/ipapython/session_storage.py
+++ b/ipapython/session_storage.py
@@ -111,6 +111,12 @@ def store_data(princ_name, key, value):
if not isinstance(value, bytes):
value = value.encode('utf-8')
+# FILE ccaches grow every time an entry is stored, so we need
+# to avoid storing the same entry multiple times.
+oldvalue = get_data(princ_name, key)
+if oldvalue == value:
+return
+
context = krb5_context()
principal = krb5_principal()
ccache = krb5_ccache()
From 7653192d67de8d6b19259ece49f6c1d31f788665 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Wed, 22 Mar 2017 18:38:22 -0400
Subject: [PATCH 2/3] Handle failed authentication via cookie
If cookie authentication fails and we get back a 401 see if we
tried a SPNEGO auth by checking if we had a GSSAPI context. If not
it means our session cookie was invalid or expired or some other
error happened on the server that requires us to try a full SPNEGO
handshake, so go ahead and try it.
Fixes https://pagure.io/freeipa/issue/6775
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipalib/rpc.py | 52
1 file changed, 32 insertions(+), 20 deletions(-)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 303b22a..f597ce0 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -586,22 +586,33 @@ def _handle_exception(self, e, service=None):
else:
raise errors.KerberosError(message=unicode(e))
-def get_host_info(self, host):
+def _get_host(self):
+return self._connection[0]
+
+def _remove_extra_header(self, name):
+for (h, v) in self._extra_headers:
+if h == name:
+self._extra_headers.remove((h, v))
+break
+
+def get_auth_info(self, use_cookie=True):
"""
Two things can happen here. If we have a session we will add
a cookie for that. If not we will set an Authorization header.
"""
-(host, extra_headers, x509) = SSLTransport.get_host_info(self, host)
-
-if not isinstance(extra_headers, list):
-extra_headers = []
+if not isinstance(self._extra_headers, list):
+self._extra_headers = []
-session_cookie = getattr(context, 'session_cookie', None)
-if session_cookie:
-extra_headers.append(('Cookie', session_cookie))
-return (host, extra_headers, x509)
+# Remove any existing Cookie first
+self._remove_extra_header('Cookie')
+if use_cookie:
+session_cookie = getattr(context, 'session_cookie', None)
+if session_cookie:
+self._extra_headers.append(('Cookie', session_cookie))
+return
# Set the remote host principal
+host = self._get_host()
service = self.service + "@" + host.split(':')[0]
try:
@@ -616,18 +627,14 @@ def get_host_info(self, host):
except gssapi.exceptions.GSSError as e:
self._handle_exception(e, service=service)
-self._set_auth_header(extra_headers, response)
-
-return (host, extra_headers, x509)
+self._set_auth_header(response)
-def _set_auth_header(self, extra_headers, token):
-for (h, v) in extra_headers:
-if h == 'Authorization':
-extra_headers.remove((h, v))
-break
+def _set_auth_header(self, token):
+# Remove any existing authorization header first
+self._remove_extra_header('Authorization')
if token:
-extra_headers.append(
+self._extra_headers.append(
('Authorization', 'negotiate %s' % base64.b64encode(token).decode('ascii'))
)
@@ -651,18 +658,23 @@ def _au
[Freeipa-devel] [freeipa PR#638][comment] ipalib/rpc.py: Fix session handling for KEYRING: ccaches
URL: https://github.com/freeipa/freeipa/pull/638 Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches simo5 commented: """ One way to deal with this in the FILE case is to copy the ccache to a tmp file and then rename to the original one. There is a risk of racing and removing a new ticket, but it is low. Luckily this problem should be solved once we have KCM caches ... """ See the full comment at https://github.com/freeipa/freeipa/pull/638#issuecomment-288406237 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From 2b309c896728f188959c022635ff131347e2f266 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 13:46:44 -0500 Subject: [PATCH] Add options to allow ticket caching This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Ticket: https://pagure.io/freeipa/issue/6771 Signed-off-by: Simo Sorce <s...@redhat.com> --- install/share/gssproxy.conf.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a..9d11100 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_client_ccache_sync = true cred_usage = both euid = $HTTPD_USER @@ -12,5 +13,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_constrained_delegation = true + allow_client_ccache_sync = true cred_usage = initiate euid = $IPAAPI_USER -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching simo5 commented: """ @MartinBasti can we push this ? It makes a big difference in framework performance and load on the KDC """ See the full comment at https://github.com/freeipa/freeipa/pull/543#issuecomment-287024418 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From d2c6121af9b4b366d0ff954a59f9a4917c634fc8 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 13:46:44 -0500 Subject: [PATCH] Add options to allow ticket caching This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Ticket: https://pagure.io/freeipa/issue/6656 Signed-off-by: Simo Sorce <s...@redhat.com> --- install/share/gssproxy.conf.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a..9d11100 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_client_ccache_sync = true cred_usage = both euid = $HTTPD_USER @@ -12,5 +13,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_constrained_delegation = true + allow_client_ccache_sync = true cred_usage = initiate euid = $IPAAPI_USER -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#594][+ack] Fix Python 3 pylint errors
URL: https://github.com/freeipa/freeipa/pull/594 Title: #594: Fix Python 3 pylint errors Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From 9a89d1d279403190b3273cba25204a9e4af564c5 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 13:46:44 -0500 Subject: [PATCH] Add options to allow ticket caching This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Ticket: https://pagure.io/freeipa/issue/6656 Signed-off-by: Simo Sorce <s...@redhat.com> --- install/share/gssproxy.conf.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a..9d11100 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_client_ccache_sync = true cred_usage = both euid = $HTTPD_USER @@ -12,5 +13,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_constrained_delegation = true + allow_client_ccache_sync = true cred_usage = initiate euid = $IPAAPI_USER -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#587][comment] Python 3: Fix session storage
URL: https://github.com/freeipa/freeipa/pull/587 Title: #587: Python 3: Fix session storage simo5 commented: """ Technically principal names could use any encoding ... but we make the assumption they are utf-8 in freeIPA, so this should be ok. """ See the full comment at https://github.com/freeipa/freeipa/pull/587#issuecomment-286518991 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#587][+ack] Python 3: Fix session storage
URL: https://github.com/freeipa/freeipa/pull/587 Title: #587: Python 3: Fix session storage Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#585][+ack] Remove allow_constrained_delegation from gssproxy.conf
URL: https://github.com/freeipa/freeipa/pull/585 Title: #585: Remove allow_constrained_delegation from gssproxy.conf Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#585][comment] Remove allow_constrained_delegation from gssproxy.conf
URL: https://github.com/freeipa/freeipa/pull/585 Title: #585: Remove allow_constrained_delegation from gssproxy.conf simo5 commented: """ Please change commit message to: The Apache process *must* not allowed to use constrained delegation to contact services because it is already allowed to impersonate users to itself. Allowing it to perform constrained delegation would let it impersonate any user against the LDAP service without authentication. """ See the full comment at https://github.com/freeipa/freeipa/pull/585#issuecomment-286486668 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#559][-ack] WebUI: Certificate login
URL: https://github.com/freeipa/freeipa/pull/559 Title: #559: WebUI: Certificate login Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#559][reopened] WebUI: Certificate login
URL: https://github.com/freeipa/freeipa/pull/559 Author: pvomacka Title: #559: WebUI: Certificate login Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/559/head:pr559 git checkout pr559 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#559][comment] WebUI: Certificate login
URL: https://github.com/freeipa/freeipa/pull/559 Title: #559: WebUI: Certificate login simo5 commented: """ You need to wait to get th gssproxy fix I've been developing today and set the minimum gssproxy version to the one with the fix once we get to publish it """ See the full comment at https://github.com/freeipa/freeipa/pull/559#issuecomment-286478736 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#559][comment] WebUI: Certificate login
URL: https://github.com/freeipa/freeipa/pull/559 Title: #559: WebUI: Certificate login simo5 commented: """ NACK NACK NACK Pleas revert the change to the gssproxy template, it undoes half the work done in privilege separation """ See the full comment at https://github.com/freeipa/freeipa/pull/559#issuecomment-286478501 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed simo5 commented: """ Sure no prob """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-286391140 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed simo5 commented: """ Can you figure out exactly why certmonger is doing this ? """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-286366985 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#567][synchronized] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567
Author: simo5
Title: #567: Configure KDC to use certs after they are deployed
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/567/head:pr567
git checkout pr567
From 5758f8aad74b043d3d2e9b76c92cc5fbd66b5976 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Thu, 9 Mar 2017 12:49:54 -0500
Subject: [PATCH] Configure KDC to use certs after they are deployed
Certmonger needs to access the KDC when it tries to obtain certs,
so make sure the KDC can run, then reconfigure it to use pkinit anchors
once certs are deployed.
Signed-off-by: Simo Sorce <s...@redhat.com>
---
install/share/kdc.conf.template | 4 ++--
ipaserver/install/krbinstance.py | 28 +++-
2 files changed, 21 insertions(+), 11 deletions(-)
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index ec53a1f..c9d5c28 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
dict_file = $DICT_WORDS
default_principal_flags = +preauth
; admin_keytab = $KRB5KDC_KADM5_KEYTAB
- pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
- pkinit_anchors = FILE:$CACERT_PEM
+$NOPK pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
+$NOPK pkinit_anchors = FILE:$CACERT_PEM
}
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 79803ca..b92c436 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -68,6 +68,7 @@ def __init__(self, fstore=None):
self.kdc_password = None
self.sub_dict = None
self.pkcs12_info = None
+self.config_pkinit = None
suffix = ipautil.dn_attribute_property('_suffix')
subject_base = ipautil.dn_attribute_property('_subject_base')
@@ -140,12 +141,16 @@ def __common_setup(self, realm_name, host_name, domain_name, admin_password):
def __common_post_setup(self):
self.step("starting the KDC", self.__start_instance)
+if self.config_pkinit:
+self.step("installing X509 Certificate for PKINIT",
+ self.setup_pkinit)
self.step("configuring KDC to start on boot", self.__enable)
def create_instance(self, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, subject_base=None):
self.master_password = master_password
self.pkcs12_info = pkcs12_info
self.subject_base = subject_base
+self.config_pkinit = setup_pkinit
self.__common_setup(realm_name, host_name, domain_name, admin_password)
@@ -160,10 +165,6 @@ def create_instance(self, realm_name, host_name, domain_name, admin_password, ma
self.__common_post_setup()
-if setup_pkinit:
-self.step("installing X509 Certificate for PKINIT",
- self.setup_pkinit)
-
self.start_creation(runtime=30)
self.kpasswd = KpasswdInstance()
@@ -178,14 +179,12 @@ def create_replica(self, realm_name,
self.pkcs12_info = pkcs12_info
self.subject_base = subject_base
self.master_fqdn = master_fqdn
+self.config_pkinit = setup_pkinit
self.__common_setup(realm_name, host_name, domain_name, admin_password)
self.step("configuring KDC", self.__configure_instance)
self.step("adding the password extension to the directory", self.__add_pwd_extop_module)
-if setup_pkinit:
-self.step("installing X509 Certificate for PKINIT",
- self.setup_pkinit)
self.__common_post_setup()
@@ -220,6 +219,7 @@ def __setup_sub_dict(self):
KRB5KDC_KADM5_ACL=paths.KRB5KDC_KADM5_ACL,
DICT_WORDS=paths.DICT_WORDS,
KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB,
+ NOPK=';',
KDC_CERT=paths.KDC_CERT,
KDC_KEY=paths.KDC_KEY,
CACERT_PEM=paths.CACERT_PEM)
@@ -255,11 +255,12 @@ def __add_krb_container(self):
def __add_default_acis(self):
self._ldap_mod("default-aci.ldif", self.sub_dict)
-def __template_file(self, path, chmod=0o644):
+def __template_file(self, path, chmod=0o644, backup=True):
template = os.path.join(paths.USR_SHARE_IPA_DIR,
os.path.basename(path) + ".template")
conf = ipautil.template_file(template, self.sub_dict)
-self.fstore.backup_file(path)
+if backup:
+self.fstore.backup_file(path)
fd = open(path, "w+")
fd.write(conf)
fd.close()
@@ -377,6 +378,15 @@ def setup_pkinit(self):
# have any selinux i
[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed simo5 commented: """ Should have addressed all concerns in this push """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-285660566 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2
URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 simo5 commented: """ Can you prepare patch for spec file that requires gssproxy >= 0.7.0 and mod_auth_gssapi >= 1.5.0 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-285507599 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#564][comment] Reconfigure Kerberos library config as the last step of KDC install
URL: https://github.com/freeipa/freeipa/pull/564 Title: #564: Reconfigure Kerberos library config as the last step of KDC install simo5 commented: """ @martbab @abbra see the pull request in #567 """ See the full comment at https://github.com/freeipa/freeipa/pull/564#issuecomment-285493983 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed simo5 commented: """ Still testing but this should be the way to go to fix the bug reported in #564 """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-285493679 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#567][opened] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567
Author: simo5
Title: #567: Configure KDC to use certs after they are deployed
Action: opened
PR body:
"""
Certmonger needs to access the KDC when it tries to obtain certs,
so make sure the KDC can run, then reconfigure it to use pkinit anchors
once certs are deployed.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/567/head:pr567
git checkout pr567
From d9fb5cb52b9450f6ac514b75ec4b74ec3d30affa Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Thu, 9 Mar 2017 12:49:54 -0500
Subject: [PATCH] Configure KDC to use certs after they are deployed
Certmonger needs to access the KDC when it tries to obtain certs,
so make sure the KDC can run, then reconfigure it to use pkinit anchors
once certs are deployed.
Signed-off-by: Simo Sorce <s...@redhat.com>
---
install/share/kdc.conf.template | 4 ++--
ipaserver/install/krbinstance.py | 19 ---
2 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index ec53a1f..c9d5c28 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
dict_file = $DICT_WORDS
default_principal_flags = +preauth
; admin_keytab = $KRB5KDC_KADM5_KEYTAB
- pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
- pkinit_anchors = FILE:$CACERT_PEM
+$NOPK pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
+$NOPK pkinit_anchors = FILE:$CACERT_PEM
}
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 79803ca..04246de 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -139,7 +139,6 @@ def __common_setup(self, realm_name, host_name, domain_name, admin_password):
pass
def __common_post_setup(self):
-self.step("starting the KDC", self.__start_instance)
self.step("configuring KDC to start on boot", self.__enable)
def create_instance(self, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, subject_base=None):
@@ -157,6 +156,7 @@ def create_instance(self, realm_name, host_name, domain_name, admin_password, ma
self.step("creating a keytab for the machine", self.__create_host_keytab)
self.step("adding the password extension to the directory", self.__add_pwd_extop_module)
self.step("creating anonymous principal", self.add_anonymous_principal)
+self.step("starting the KDC", self.__start_instance)
self.__common_post_setup()
@@ -183,6 +183,8 @@ def create_replica(self, realm_name,
self.step("configuring KDC", self.__configure_instance)
self.step("adding the password extension to the directory", self.__add_pwd_extop_module)
+self.step("starting the KDC", self.__start_instance)
+
if setup_pkinit:
self.step("installing X509 Certificate for PKINIT",
self.setup_pkinit)
@@ -220,6 +222,7 @@ def __setup_sub_dict(self):
KRB5KDC_KADM5_ACL=paths.KRB5KDC_KADM5_ACL,
DICT_WORDS=paths.DICT_WORDS,
KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB,
+ NOPK=';',
KDC_CERT=paths.KDC_CERT,
KDC_KEY=paths.KDC_KEY,
CACERT_PEM=paths.CACERT_PEM)
@@ -255,11 +258,12 @@ def __add_krb_container(self):
def __add_default_acis(self):
self._ldap_mod("default-aci.ldif", self.sub_dict)
-def __template_file(self, path, chmod=0o644):
+def __template_file(self, path, chmod=0o644, backup=True):
template = os.path.join(paths.USR_SHARE_IPA_DIR,
os.path.basename(path) + ".template")
conf = ipautil.template_file(template, self.sub_dict)
-self.fstore.backup_file(path)
+if backup:
+self.fstore.backup_file(path)
fd = open(path, "w+")
fd.write(conf)
fd.close()
@@ -377,6 +381,15 @@ def setup_pkinit(self):
# have any selinux issues with the file context
shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM)
+# Now modify configuration to add pkinit anchors and restart KDC
+self.sub_dict['NOPK'] = ''
+self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None, backup=False)
+try:
+self.stop()
+self.start()
+except Exception:
+root_logger.critical("krb5kdc service failed to restart")
+
def get_anonymous_principal_name(self):
return "%s@%s" % (ANON_USER, self.realm)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#564][comment] Reconfigure Kerberos library config as the last step of KDC install
URL: https://github.com/freeipa/freeipa/pull/564 Title: #564: Reconfigure Kerberos library config as the last step of KDC install simo5 commented: """ I do not think this is the correct fix/bug What we want to do is to change kdc.conf to require certs only after we have installed them. The KDC is already properly configured and running otherwise but fails to start on replica because certs are not there. We need it to not fail, not to allow certmonger to go oevr the network to other servers """ See the full comment at https://github.com/freeipa/freeipa/pull/564#issuecomment-285422563 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option
URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option simo5 commented: """ Oops sorry, forgot to run make pylint on my last iteration, should be all fixed now """ See the full comment at https://github.com/freeipa/freeipa/pull/546#issuecomment-285356420 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#546][synchronized] Store session cookie in a ccache option
URL: https://github.com/freeipa/freeipa/pull/546
Author: simo5
Title: #546: Store session cookie in a ccache option
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/546/head:pr546
git checkout pr546
From c1ae93acad645c7725041cc10bf14b10fb94533c Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Mon, 6 Mar 2017 18:47:56 -0500
Subject: [PATCH] Store session cookie in a ccache option
Instead of using the kernel keyring, store the session cookie within the
ccache. This way kdestroy will really wipe away all credentials.
Ticket: https://pagure.io/freeipa/issue/6661
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipalib/rpc.py | 27 +---
ipapython/session_storage.py| 197
ipatests/test_ipapython/test_session_storage.py | 37 +
3 files changed, 239 insertions(+), 22 deletions(-)
create mode 100644 ipapython/session_storage.py
create mode 100644 ipatests/test_ipapython/test_session_storage.py
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 8d1bba5..3a589cb 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -56,7 +56,7 @@
from ipalib.request import context, Connection
from ipapython.ipa_log_manager import root_logger
from ipapython import ipautil
-from ipapython import kernel_keyring
+from ipapython import session_storage
from ipapython.cookie import Cookie
from ipapython.dnsutil import DNSName
from ipalib.text import _
@@ -84,19 +84,11 @@
unicode = str
COOKIE_NAME = 'ipa_session'
-KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME
+CCACHE_COOKIE_KEY = 'X-IPA-Session-Cookie'
errors_by_code = dict((e.errno, e) for e in public_errors)
-def client_session_keyring_keyname(principal):
-'''
-Return the key name used for storing the client session data for
-the given principal.
-'''
-
-return KEYRING_COOKIE_NAME % principal
-
def update_persistent_client_session_data(principal, data):
'''
Given a principal create or update the session data for that
@@ -106,13 +98,10 @@ def update_persistent_client_session_data(principal, data):
'''
try:
-keyname = client_session_keyring_keyname(principal)
+session_storage.store_data(principal, CCACHE_COOKIE_KEY, data)
except Exception as e:
raise ValueError(str(e))
-# kernel_keyring only raises ValueError (why??)
-kernel_keyring.update_key(keyname, data)
-
def read_persistent_client_session_data(principal):
'''
Given a principal return the stored session data for that
@@ -122,13 +111,10 @@ def read_persistent_client_session_data(principal):
'''
try:
-keyname = client_session_keyring_keyname(principal)
+return session_storage.get_data(principal, CCACHE_COOKIE_KEY)
except Exception as e:
raise ValueError(str(e))
-# kernel_keyring only raises ValueError (why??)
-return kernel_keyring.read_key(keyname)
-
def delete_persistent_client_session_data(principal):
'''
Given a principal remove the session data for that
@@ -138,13 +124,10 @@ def delete_persistent_client_session_data(principal):
'''
try:
-keyname = client_session_keyring_keyname(principal)
+session_storage.remove_data(principal, CCACHE_COOKIE_KEY)
except Exception as e:
raise ValueError(str(e))
-# kernel_keyring only raises ValueError (why??)
-kernel_keyring.del_key(keyname)
-
def xml_wrap(value, version):
"""
Wrap all ``str`` in ``xmlrpc.client.Binary``.
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
new file mode 100644
index 000..7fe17fb
--- /dev/null
+++ b/ipapython/session_storage.py
@@ -0,0 +1,197 @@
+#
+# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
+#
+
+import ctypes
+
+
+KRB5_CC_NOSUPP = -1765328137
+
+
+try:
+LIBKRB5 = ctypes.CDLL('libkrb5.so.3')
+except OSError as e: # pragma: no cover
+raise ImportError(str(e))
+
+
+class _krb5_context(ctypes.Structure): # noqa
+"""krb5/krb5.h struct _krb5_context"""
+_fields_ = []
+
+
+class _krb5_ccache(ctypes.Structure): # noqa
+"""krb5/krb5.h struct _krb5_ccache"""
+_fields_ = []
+
+
+class _krb5_data(ctypes.Structure): # noqa
+"""krb5/krb5.h struct _krb5_data"""
+_fields_ = [
+("magic", ctypes.c_int32),
+("length", ctypes.c_uint),
+("data", ctypes.c_char_p),
+]
+
+
+class krb5_principal_data(ctypes.Structure): # noqa
+"""krb5/krb5.h struct krb5_principal_data"""
+_fields_ = []
+
+
+class KRB5Error(Exception):
+pass
+
+
+def krb5_errcheck(result, func, arguments):
+"""Error checker for krb5_error return value"""
+i
[Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option
URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option simo5 commented: """ Ok I decide to do away with the whole class stuff, given we never really keep a round the class object for more than one operation at a time in actual use. As @rcritten requested I also added a test, and I am glad it was asked as I found a failure case we need to handle (see the exception handling in remove_data() """ See the full comment at https://github.com/freeipa/freeipa/pull/546#issuecomment-285339682 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#546][synchronized] Store session cookie in a ccache option
URL: https://github.com/freeipa/freeipa/pull/546
Author: simo5
Title: #546: Store session cookie in a ccache option
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/546/head:pr546
git checkout pr546
From 136f5b4bb40fc4869a91518ff181cc449b2d43d7 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Mon, 6 Mar 2017 18:47:56 -0500
Subject: [PATCH] Store session cookie in a ccache option
Instead of using the kernel keyring, store the session cookie within the
ccache. This way kdestroy will really wipe away all credentials.
Ticket: https://pagure.io/freeipa/issue/6661
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipalib/rpc.py | 27 +---
ipapython/session_storage.py| 197
ipatests/test_ipapython/test_session_storage.py | 40 +
3 files changed, 242 insertions(+), 22 deletions(-)
create mode 100644 ipapython/session_storage.py
create mode 100644 ipatests/test_ipapython/test_session_storage.py
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 8d1bba5..2b545b2 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -56,7 +56,7 @@
from ipalib.request import context, Connection
from ipapython.ipa_log_manager import root_logger
from ipapython import ipautil
-from ipapython import kernel_keyring
+from ipapython import session_storage
from ipapython.cookie import Cookie
from ipapython.dnsutil import DNSName
from ipalib.text import _
@@ -84,19 +84,11 @@
unicode = str
COOKIE_NAME = 'ipa_session'
-KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME
+CCACHE_COOKIE_KEY = 'X-IPA-Session-Cookie'
errors_by_code = dict((e.errno, e) for e in public_errors)
-def client_session_keyring_keyname(principal):
-'''
-Return the key name used for storing the client session data for
-the given principal.
-'''
-
-return KEYRING_COOKIE_NAME % principal
-
def update_persistent_client_session_data(principal, data):
'''
Given a principal create or update the session data for that
@@ -106,13 +98,10 @@ def update_persistent_client_session_data(principal, data):
'''
try:
-keyname = client_session_keyring_keyname(principal)
+session_storage.store_data(principal, CCACHE_COOKIE_KEY, data)
except Exception as e:
raise ValueError(str(e))
-# kernel_keyring only raises ValueError (why??)
-kernel_keyring.update_key(keyname, data)
-
def read_persistent_client_session_data(principal):
'''
Given a principal return the stored session data for that
@@ -122,13 +111,10 @@ def read_persistent_client_session_data(principal):
'''
try:
-keyname = client_session_keyring_keyname(principal)
+return session_storage.store_data(principal, CCACHE_COOKIE_KEY)
except Exception as e:
raise ValueError(str(e))
-# kernel_keyring only raises ValueError (why??)
-return kernel_keyring.read_key(keyname)
-
def delete_persistent_client_session_data(principal):
'''
Given a principal remove the session data for that
@@ -138,13 +124,10 @@ def delete_persistent_client_session_data(principal):
'''
try:
-keyname = client_session_keyring_keyname(principal)
+session_storage.remove_data(principal, CCACHE_COOKIE_KEY)
except Exception as e:
raise ValueError(str(e))
-# kernel_keyring only raises ValueError (why??)
-kernel_keyring.del_key(keyname)
-
def xml_wrap(value, version):
"""
Wrap all ``str`` in ``xmlrpc.client.Binary``.
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
new file mode 100644
index 000..d2a01fc
--- /dev/null
+++ b/ipapython/session_storage.py
@@ -0,0 +1,197 @@
+#
+# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
+#
+
+import ctypes
+
+
+KRB5_CC_NOSUPP = -1765328137
+
+
+try:
+LIBKRB5 = ctypes.CDLL('libkrb5.so.3')
+except OSError as e: # pragma: no cover
+raise ImportError(str(e))
+
+
+class _krb5_context(ctypes.Structure): # noqa
+"""krb5/krb5.h struct _krb5_context"""
+_fields_ = []
+
+
+class _krb5_ccache(ctypes.Structure): # noqa
+"""krb5/krb5.h struct _krb5_ccache"""
+_fields_ = []
+
+
+class _krb5_data(ctypes.Structure): # noqa
+"""krb5/krb5.h struct _krb5_data"""
+_fields_ = [
+("magic", ctypes.c_int32),
+("length", ctypes.c_uint),
+("data", ctypes.c_char_p),
+]
+
+
+class krb5_principal_data(ctypes.Structure): # noqa
+"""krb5/krb5.h struct krb5_principal_data"""
+_fields_ = []
+
+
+class KRB5Error(Exception):
+pass
+
+
+def krb5_errcheck(result, func, arguments):
+"""Error checker for krb5_error return value"""
+i
[Freeipa-devel] [freeipa PR#546][synchronized] Store session cookie in a ccache option
URL: https://github.com/freeipa/freeipa/pull/546
Author: simo5
Title: #546: Store session cookie in a ccache option
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/546/head:pr546
git checkout pr546
From 77ba575a4400e3e27eb8278e8d9161e8ae33d0d4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Mon, 6 Mar 2017 18:47:56 -0500
Subject: [PATCH] Store session cookie in a ccache option
Instead of using the kernel keyring, store the session cookie within the
ccache. This way kdestroy will really wipe away all credentials.
Ticket: https://pagure.io/freeipa/issue/6661
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipalib/rpc.py| 30 ++-
ipapython/session_storage.py | 193 +++
2 files changed, 201 insertions(+), 22 deletions(-)
create mode 100644 ipapython/session_storage.py
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 8d1bba5..cf7765c 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -56,7 +56,7 @@
from ipalib.request import context, Connection
from ipapython.ipa_log_manager import root_logger
from ipapython import ipautil
-from ipapython import kernel_keyring
+from ipapython import session_storage
from ipapython.cookie import Cookie
from ipapython.dnsutil import DNSName
from ipalib.text import _
@@ -84,19 +84,11 @@
unicode = str
COOKIE_NAME = 'ipa_session'
-KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME
+CCACHE_COOKIE_KEY_NAME = 'X-IPA-Session-Cookie'
errors_by_code = dict((e.errno, e) for e in public_errors)
-def client_session_keyring_keyname(principal):
-'''
-Return the key name used for storing the client session data for
-the given principal.
-'''
-
-return KEYRING_COOKIE_NAME % principal
-
def update_persistent_client_session_data(principal, data):
'''
Given a principal create or update the session data for that
@@ -106,13 +98,11 @@ def update_persistent_client_session_data(principal, data):
'''
try:
-keyname = client_session_keyring_keyname(principal)
+s = session_storage.ccache_store(CCACHE_COOKIE_KEY_NAME)
+s.store_data(principal, data)
except Exception as e:
raise ValueError(str(e))
-# kernel_keyring only raises ValueError (why??)
-kernel_keyring.update_key(keyname, data)
-
def read_persistent_client_session_data(principal):
'''
Given a principal return the stored session data for that
@@ -122,13 +112,11 @@ def read_persistent_client_session_data(principal):
'''
try:
-keyname = client_session_keyring_keyname(principal)
+s = session_storage.ccache_store(CCACHE_COOKIE_KEY_NAME)
+return s.get_data(principal)
except Exception as e:
raise ValueError(str(e))
-# kernel_keyring only raises ValueError (why??)
-return kernel_keyring.read_key(keyname)
-
def delete_persistent_client_session_data(principal):
'''
Given a principal remove the session data for that
@@ -138,13 +126,11 @@ def delete_persistent_client_session_data(principal):
'''
try:
-keyname = client_session_keyring_keyname(principal)
+s = session_storage.ccache_store(CCACHE_COOKIE_KEY_NAME)
+s.remove_data(principal)
except Exception as e:
raise ValueError(str(e))
-# kernel_keyring only raises ValueError (why??)
-kernel_keyring.del_key(keyname)
-
def xml_wrap(value, version):
"""
Wrap all ``str`` in ``xmlrpc.client.Binary``.
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
new file mode 100644
index 000..b997c80
--- /dev/null
+++ b/ipapython/session_storage.py
@@ -0,0 +1,193 @@
+#
+# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
+#
+
+import ctypes
+
+
+try:
+LIBKRB5 = ctypes.CDLL('libkrb5.so.3')
+except OSError as e: # pragma: no cover
+raise ImportError(str(e))
+
+
+class _krb5_context(ctypes.Structure): # noqa
+"""krb5/krb5.h struct _krb5_context"""
+_fields_ = []
+
+
+class _krb5_ccache(ctypes.Structure): # noqa
+"""krb5/krb5.h struct _krb5_ccache"""
+_fields_ = []
+
+
+class _krb5_data(ctypes.Structure): # noqa
+"""krb5/krb5.h struct _krb5_data"""
+_fields_ = [
+("magic", ctypes.c_int32),
+("length", ctypes.c_uint),
+("data", ctypes.c_char_p),
+]
+
+
+class krb5_principal_data(ctypes.Structure): # noqa
+"""krb5/krb5.h struct krb5_principal_data"""
+_fields_ = []
+
+
+class KRB5Error(Exception):
+pass
+
+
+def krb5_errcheck(result, func, arguments):
+"""Error checker for krb5_error return value"""
+if result != 0:
+raise KRB5Error(result, func.__name__, argum
[Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option
URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option simo5 commented: """ I also renamed the module and the class, makes more sense to me this way around. """ See the full comment at https://github.com/freeipa/freeipa/pull/546#issuecomment-284775755 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option
URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option simo5 commented: """ Ok removed a bunch of code and made sure pylint passes. """ See the full comment at https://github.com/freeipa/freeipa/pull/546#issuecomment-284775623 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#546][synchronized] Store session cookie in a ccache option
URL: https://github.com/freeipa/freeipa/pull/546
Author: simo5
Title: #546: Store session cookie in a ccache option
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/546/head:pr546
git checkout pr546
From 1a90c205283f9c061753ed1d8ab33a0e4f2ac06e Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Mon, 6 Mar 2017 18:47:56 -0500
Subject: [PATCH] Store session cookie in a ccache option
Instead of using the kernel keyring, store the session cookie within the
ccache. This way kdestroy will really wipe away all credentials.
Ticket: https://pagure.io/freeipa/issue/6661
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipalib/rpc.py| 30 ++-
ipapython/session_storage.py | 186 +++
2 files changed, 194 insertions(+), 22 deletions(-)
create mode 100644 ipapython/session_storage.py
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 8d1bba5..cf7765c 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -56,7 +56,7 @@
from ipalib.request import context, Connection
from ipapython.ipa_log_manager import root_logger
from ipapython import ipautil
-from ipapython import kernel_keyring
+from ipapython import session_storage
from ipapython.cookie import Cookie
from ipapython.dnsutil import DNSName
from ipalib.text import _
@@ -84,19 +84,11 @@
unicode = str
COOKIE_NAME = 'ipa_session'
-KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME
+CCACHE_COOKIE_KEY_NAME = 'X-IPA-Session-Cookie'
errors_by_code = dict((e.errno, e) for e in public_errors)
-def client_session_keyring_keyname(principal):
-'''
-Return the key name used for storing the client session data for
-the given principal.
-'''
-
-return KEYRING_COOKIE_NAME % principal
-
def update_persistent_client_session_data(principal, data):
'''
Given a principal create or update the session data for that
@@ -106,13 +98,11 @@ def update_persistent_client_session_data(principal, data):
'''
try:
-keyname = client_session_keyring_keyname(principal)
+s = session_storage.ccache_store(CCACHE_COOKIE_KEY_NAME)
+s.store_data(principal, data)
except Exception as e:
raise ValueError(str(e))
-# kernel_keyring only raises ValueError (why??)
-kernel_keyring.update_key(keyname, data)
-
def read_persistent_client_session_data(principal):
'''
Given a principal return the stored session data for that
@@ -122,13 +112,11 @@ def read_persistent_client_session_data(principal):
'''
try:
-keyname = client_session_keyring_keyname(principal)
+s = session_storage.ccache_store(CCACHE_COOKIE_KEY_NAME)
+return s.get_data(principal)
except Exception as e:
raise ValueError(str(e))
-# kernel_keyring only raises ValueError (why??)
-return kernel_keyring.read_key(keyname)
-
def delete_persistent_client_session_data(principal):
'''
Given a principal remove the session data for that
@@ -138,13 +126,11 @@ def delete_persistent_client_session_data(principal):
'''
try:
-keyname = client_session_keyring_keyname(principal)
+s = session_storage.ccache_store(CCACHE_COOKIE_KEY_NAME)
+s.remove_data(principal)
except Exception as e:
raise ValueError(str(e))
-# kernel_keyring only raises ValueError (why??)
-kernel_keyring.del_key(keyname)
-
def xml_wrap(value, version):
"""
Wrap all ``str`` in ``xmlrpc.client.Binary``.
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
new file mode 100644
index 000..10359e1
--- /dev/null
+++ b/ipapython/session_storage.py
@@ -0,0 +1,186 @@
+#
+# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
+#
+
+import ctypes
+
+
+class KRB5Error(Exception):
+pass
+
+
+try:
+LIBKRB5 = ctypes.CDLL('libkrb5.so.3')
+except OSError as e: # pragma: no cover
+raise ImportError(str(e))
+
+class _krb5_context(ctypes.Structure): # noqa
+"""krb5/krb5.h struct _krb5_context"""
+_fields_ = []
+
+class _krb5_ccache(ctypes.Structure): # noqa
+"""krb5/krb5.h struct _krb5_ccache"""
+_fields_ = []
+
+class _krb5_data(ctypes.Structure): # noqa
+"""krb5/krb5.h struct _krb5_data"""
+_fields_ = [
+("magic", ctypes.c_int32),
+("length", ctypes.c_uint),
+("data", ctypes.c_char_p),
+]
+
+class krb5_principal_data(ctypes.Structure): # noqa
+"""krb5/krb5.h struct krb5_principal_data"""
+_fields_ = []
+
+def krb5_errcheck(result, func, arguments):
+"""Error checker for krb5_error return value"""
+if result != 0:
+raise KRB5Error(result, func.__name__, arguments)
+
+krb5_p
[Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option
URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option simo5 commented: """ @rcritten the keyring stuff is still used for detection of keyring in other places, so I did not touch it as those uses are still vaild """ See the full comment at https://github.com/freeipa/freeipa/pull/546#issuecomment-284767193 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching simo5 commented: """ Yes, I think we should add a new PR later once we release gssproxy 0.7 """ See the full comment at https://github.com/freeipa/freeipa/pull/543#issuecomment-284743273 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#547][comment] Use GSS-SPNEGO if connecting locally
URL: https://github.com/freeipa/freeipa/pull/547 Title: #547: Use GSS-SPNEGO if connecting locally simo5 commented: """ We actually do not need to put a strong require, this patch will work regardless, but won't provide any performance advantage on older versions. You will add a stronger require when the GC work is done, so we can defer to that point to add it. """ See the full comment at https://github.com/freeipa/freeipa/pull/547#issuecomment-284743086 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#533][comment] WebUI: Change structure of Identity submenu
URL: https://github.com/freeipa/freeipa/pull/533 Title: #533: WebUI: Change structure of Identity submenu simo5 commented: """ I do not have enough insights on the .js side to say this is all correct, but having seen the mockups I want to give an ack from my side here. """ See the full comment at https://github.com/freeipa/freeipa/pull/533#issuecomment-284739181 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#547][synchronized] Use GSS-SPNEGO if connecting locally
URL: https://github.com/freeipa/freeipa/pull/547
Author: simo5
Title: #547: Use GSS-SPNEGO if connecting locally
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/547/head:pr547
git checkout pr547
From 431a21bace9d6e071c9f0bd7cfbc27d7748164bc Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Mon, 6 Mar 2017 14:19:30 -0500
Subject: [PATCH] Use GSS-SPNEGO if connecting locally
GSS-SPNEGO allows us to negotiate a SASL bind with less roundtrips
therefore use it when possible.
We only enable it for local connections for now because we only
recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This
change means a newer and an older version are not compatible.
Restricting ourselves to the local host prevents issues with
incompatible services, and it is ok for us as we are only really
looking for speedups for the local short-lived connections performed
by the framework. Most other clients have longer lived connections,
so peformance improvements there are not as important.
Ticket: https://pagure.io/freeipa/issue/6656
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipapython/ipaldap.py | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 82d45b9..b158598 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -52,6 +52,7 @@
# Global variable to define SASL auth
SASL_GSSAPI = ldap.sasl.sasl({}, 'GSSAPI')
+SASL_GSS_SPNEGO = ldap.sasl.sasl({}, 'GSS-SPNEGO')
_debug_log_ldap = False
@@ -1112,7 +1113,10 @@ def gssapi_bind(self, server_controls=None, client_controls=None):
Perform SASL bind operation using the SASL GSSAPI mechanism.
"""
with self.error_handler():
-auth_tokens = ldap.sasl.sasl({}, 'GSSAPI')
+if self._protocol == 'ldapi':
+auth_tokens = SASL_GSS_SPNEGO
+else:
+auth_tokens = SASL_GSSAPI
self._flush_schema()
self.conn.sasl_interactive_bind_s(
'', auth_tokens, server_controls, client_controls)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From 4c13d3360b28da66cf1fe54e7fb1c022f24e4c2e Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 13:46:44 -0500 Subject: [PATCH] Add options to allow ticket caching This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Ticket: https://pagure.io/freeipa/issue/6656 Signed-off-by: Simo Sorce <s...@redhat.com> --- install/share/gssproxy.conf.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a..9d11100 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_client_ccache_sync = true cred_usage = both euid = $HTTPD_USER @@ -12,5 +13,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_constrained_delegation = true + allow_client_ccache_sync = true cred_usage = initiate euid = $IPAAPI_USER -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#547][opened] Use GSS-SPNEGO if connecting locally
URL: https://github.com/freeipa/freeipa/pull/547
Author: simo5
Title: #547: Use GSS-SPNEGO if connecting locally
Action: opened
PR body:
"""
GSS-SPNEGO allows us to negotiate a SASL bind with less roundtrips
therefore use it when possible.
We only enable it for local connections for now because we only
recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This
change means a newer and an older version are not compatible.
Restricting ourselves to the local host prevents issues with
incompatible services, and it is ok for us as we are only really
looking for speedups for the local short-lived connections performed
by the framework. Most other clients have longer lived connections,
so peformance improvements there are not as important.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/547/head:pr547
git checkout pr547
From 990f35d49602866724849f900e69079c5df6f86b Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Mon, 6 Mar 2017 14:19:30 -0500
Subject: [PATCH] Use GSS-SPNEGO if connecting locally
GSS-SPNEGO allows us to negotiate a SASL bind with less roundtrips
therefore use it when possible.
We only enable it for local connections for now because we only
recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This
change means a newer and an older version are not compatible.
Restricting ourselves to the local host prevents issues with
incompatible services, and it is ok for us as we are only really
looking for speedups for the local short-lived connections performed
by the framework. Most other clients have longer lived connections,
so peformance improvements there are not as important.
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipapython/ipaldap.py | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 82d45b9..b158598 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -52,6 +52,7 @@
# Global variable to define SASL auth
SASL_GSSAPI = ldap.sasl.sasl({}, 'GSSAPI')
+SASL_GSS_SPNEGO = ldap.sasl.sasl({}, 'GSS-SPNEGO')
_debug_log_ldap = False
@@ -1112,7 +1113,10 @@ def gssapi_bind(self, server_controls=None, client_controls=None):
Perform SASL bind operation using the SASL GSSAPI mechanism.
"""
with self.error_handler():
-auth_tokens = ldap.sasl.sasl({}, 'GSSAPI')
+if self._protocol == 'ldapi':
+auth_tokens = SASL_GSS_SPNEGO
+else:
+auth_tokens = SASL_GSSAPI
self._flush_schema()
self.conn.sasl_interactive_bind_s(
'', auth_tokens, server_controls, client_controls)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#546][opened] Store session cookie in a ccache option
URL: https://github.com/freeipa/freeipa/pull/546
Author: simo5
Title: #546: Store session cookie in a ccache option
Action: opened
PR body:
"""
Instead of using the kernel keyring, store the session cookie within the
ccache. This way kdestroy will really wipe away all crededntials.
Ticket: https://pagure.io/freeipa/issue/6661
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/546/head:pr546
git checkout pr546
From 8aac1aee8c10810ef1e9590b23a982ed98585f09 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Mon, 6 Mar 2017 18:47:56 -0500
Subject: [PATCH] Store session cookie in a ccache option
Instead of using the kernel keyring, store the session cookie within the
ccache. This way kdestroy will really wipe away all credentials.
Ticket: https://pagure.io/freeipa/issue/6661
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipalib/rpc.py | 30 ++
ipapython/ccache_storage.py | 234
2 files changed, 242 insertions(+), 22 deletions(-)
create mode 100644 ipapython/ccache_storage.py
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 8d1bba5..027a11f 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -56,7 +56,7 @@
from ipalib.request import context, Connection
from ipapython.ipa_log_manager import root_logger
from ipapython import ipautil
-from ipapython import kernel_keyring
+from ipapython import ccache_storage
from ipapython.cookie import Cookie
from ipapython.dnsutil import DNSName
from ipalib.text import _
@@ -84,19 +84,11 @@
unicode = str
COOKIE_NAME = 'ipa_session'
-KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME
+CCACHE_COOKIE_KEY_NAME = 'X-IPA-Session-Cookie'
errors_by_code = dict((e.errno, e) for e in public_errors)
-def client_session_keyring_keyname(principal):
-'''
-Return the key name used for storing the client session data for
-the given principal.
-'''
-
-return KEYRING_COOKIE_NAME % principal
-
def update_persistent_client_session_data(principal, data):
'''
Given a principal create or update the session data for that
@@ -106,13 +98,11 @@ def update_persistent_client_session_data(principal, data):
'''
try:
-keyname = client_session_keyring_keyname(principal)
+s = ccache_storage.session_store(CCACHE_COOKIE_KEY_NAME)
+s.store_data(principal, data)
except Exception as e:
raise ValueError(str(e))
-# kernel_keyring only raises ValueError (why??)
-kernel_keyring.update_key(keyname, data)
-
def read_persistent_client_session_data(principal):
'''
Given a principal return the stored session data for that
@@ -122,13 +112,11 @@ def read_persistent_client_session_data(principal):
'''
try:
-keyname = client_session_keyring_keyname(principal)
+s = ccache_storage.session_store(CCACHE_COOKIE_KEY_NAME)
+return s.get_data(principal)
except Exception as e:
raise ValueError(str(e))
-# kernel_keyring only raises ValueError (why??)
-return kernel_keyring.read_key(keyname)
-
def delete_persistent_client_session_data(principal):
'''
Given a principal remove the session data for that
@@ -138,13 +126,11 @@ def delete_persistent_client_session_data(principal):
'''
try:
-keyname = client_session_keyring_keyname(principal)
+s = ccache_storage.session_store(CCACHE_COOKIE_KEY_NAME)
+s.remove_data(principal)
except Exception as e:
raise ValueError(str(e))
-# kernel_keyring only raises ValueError (why??)
-kernel_keyring.del_key(keyname)
-
def xml_wrap(value, version):
"""
Wrap all ``str`` in ``xmlrpc.client.Binary``.
diff --git a/ipapython/ccache_storage.py b/ipapython/ccache_storage.py
new file mode 100644
index 000..2944b33
--- /dev/null
+++ b/ipapython/ccache_storage.py
@@ -0,0 +1,234 @@
+#
+# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
+#
+
+import ctypes
+import os
+import sys
+
+import six
+
+
+class KRB5Error(Exception):
+pass
+
+
+PY3 = sys.version_info[0] == 3
+
+
+try:
+LIBKRB5 = ctypes.CDLL('libkrb5.so.3')
+except OSError as e: # pragma: no cover
+LIBKRB5 = e
+else:
+class c_text_p(ctypes.c_char_p): # noqa
+"""A c_char_p variant that can handle UTF-8 text"""
+@classmethod
+def from_param(cls, value):
+if value is None:
+return None
+if PY3 and isinstance(value, str):
+return value.encode('utf-8')
+elif not PY3 and isinstance(value, unicode): # noqa
+return value.encode('utf-8')
+elif not isinstance(value, bytes):
+raise TypeError(value)
+else:
+return value
+
+@property
+def text(self):
+
[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From 513c118d741594bf6bab6302a4b24c23168c4c44 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 13:46:44 -0500 Subject: [PATCH] Add options to allow ticket caching This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Signed-off-by: Simo Sorce <s...@redhat.com> --- install/share/gssproxy.conf.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a..9d11100 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_client_ccache_sync = true cred_usage = both euid = $HTTPD_USER @@ -12,5 +13,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_constrained_delegation = true + allow_client_ccache_sync = true cred_usage = initiate euid = $IPAAPI_USER -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543
Author: simo5
Title: #543: Add options to allow ticket caching
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/543/head:pr543
git checkout pr543
From 513c118d741594bf6bab6302a4b24c23168c4c44 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Mon, 6 Mar 2017 13:46:44 -0500
Subject: [PATCH 1/3] Add options to allow ticket caching
This new option (planned to land in gssproxy 0.7) we cache the ldap
ticket properly and avoid a ticket lookup to the KDC on each and every
ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching).
Signed-off-by: Simo Sorce <s...@redhat.com>
---
install/share/gssproxy.conf.template | 2 ++
1 file changed, 2 insertions(+)
diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
index fbb158a..9d11100 100644
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -4,6 +4,7 @@
cred_store = keytab:$HTTP_KEYTAB
cred_store = client_keytab:$HTTP_KEYTAB
allow_protocol_transition = true
+ allow_client_ccache_sync = true
cred_usage = both
euid = $HTTPD_USER
@@ -12,5 +13,6 @@
cred_store = keytab:$HTTP_KEYTAB
cred_store = client_keytab:$HTTP_KEYTAB
allow_constrained_delegation = true
+ allow_client_ccache_sync = true
cred_usage = initiate
euid = $IPAAPI_USER
From 34553627ebd709dea371030b03607c9c167732b0 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Mon, 6 Mar 2017 14:19:30 -0500
Subject: [PATCH 2/3] Use GSS-SPNEGO if connecting locally
GSS-SPNEGO allows us to negotiate a sasl bind with less roundrtrips
therefore use it when possible.
We only enable it for local connections for now because we only
recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This
change means a newer and an older version are not compatible.
Restricting ourselves to the local host prevents issues with
incomaptible services, and it is ok for us as we are only really lloking
at speedups for the local shortlived connections performed by the
framework. Most other clients have llonger lived connections, so
peformance improvements there are not as important.
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipapython/ipaldap.py | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 82d45b9..b158598 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -52,6 +52,7 @@
# Global variable to define SASL auth
SASL_GSSAPI = ldap.sasl.sasl({}, 'GSSAPI')
+SASL_GSS_SPNEGO = ldap.sasl.sasl({}, 'GSS-SPNEGO')
_debug_log_ldap = False
@@ -1112,7 +1113,10 @@ def gssapi_bind(self, server_controls=None, client_controls=None):
Perform SASL bind operation using the SASL GSSAPI mechanism.
"""
with self.error_handler():
-auth_tokens = ldap.sasl.sasl({}, 'GSSAPI')
+if self._protocol == 'ldapi':
+auth_tokens = SASL_GSS_SPNEGO
+else:
+auth_tokens = SASL_GSSAPI
self._flush_schema()
self.conn.sasl_interactive_bind_s(
'', auth_tokens, server_controls, client_controls)
From 4a9b4a7769e36890f95d87053388579928088dd3 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Mon, 6 Mar 2017 18:47:56 -0500
Subject: [PATCH 3/3] Store session cookie in a ccache option
Instead of using the kernel keyring,s tore the session cookie within the
ccache. This way kdestroy will really wipe away all creedntials.
Ticket: https://pagure.io/freeipa/issue/6661
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipalib/rpc.py | 30 ++
ipapython/ccache_storage.py | 234
2 files changed, 242 insertions(+), 22 deletions(-)
create mode 100644 ipapython/ccache_storage.py
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 8d1bba5..be31333 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -56,7 +56,7 @@
from ipalib.request import context, Connection
from ipapython.ipa_log_manager import root_logger
from ipapython import ipautil
-from ipapython import kernel_keyring
+from ipapython import ccache_storage
from ipapython.cookie import Cookie
from ipapython.dnsutil import DNSName
from ipalib.text import _
@@ -84,19 +84,11 @@
unicode = str
COOKIE_NAME = 'ipa_session'
-KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME
+CCACHE_COOKIE_KEY_NAME = 'X-IPA-Session-Cookie'
errors_by_code = dict((e.errno, e) for e in public_errors)
-def client_session_keyring_keyname(principal):
-'''
-Return the key name used for storing the client session data for
-the given principal.
-'''
-
-return KEYRING_COOKIE_NAME % principal
-
def update_persistent_client_session_data(principal, data):
'''
[Freeipa-devel] [freeipa PR#543][opened] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: opened PR body: """ This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). NOTE: It is safe to apply this to master, if gssproxy does not support this option it simply is ignored. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From 513c118d741594bf6bab6302a4b24c23168c4c44 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 13:46:44 -0500 Subject: [PATCH] Add options to allow ticket caching This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Signed-off-by: Simo Sorce <s...@redhat.com> --- install/share/gssproxy.conf.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a..9d11100 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_client_ccache_sync = true cred_usage = both euid = $HTTPD_USER @@ -12,5 +13,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_constrained_delegation = true + allow_client_ccache_sync = true cred_usage = initiate euid = $IPAAPI_USER -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#532][+ack] Fix cookie with Max-Age processing
URL: https://github.com/freeipa/freeipa/pull/532 Title: #532: Fix cookie with Max-Age processing Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#532][comment] Fix cookie with Max-Age processing
URL: https://github.com/freeipa/freeipa/pull/532 Title: #532: Fix cookie with Max-Age processing simo5 commented: """ LGTM, please merge """ See the full comment at https://github.com/freeipa/freeipa/pull/532#issuecomment-284055799 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#532][comment] Fix cookie with Max-Age processing
URL: https://github.com/freeipa/freeipa/pull/532 Title: #532: Fix cookie with Max-Age processing simo5 commented: """ Ok, sorry for some reason I thought this was on the server side, where we do not care what the cookie looks like, but on the client side we indeed care. """ See the full comment at https://github.com/freeipa/freeipa/pull/532#issuecomment-283666136 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card
URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card simo5 commented: """ I am not sure we want to wait for replies from trusted domains, it may be very slow, and in some cases it will just not work right (one way trusts with strict access control on entries). Active Directory forces users to provide a hint when logging into trusted domains with smart cards and does not query the remote domain. Have we considered this ? """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-283420862 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card
URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card simo5 commented: """ Why do we need to talk to SSSD to do this? Don't we have all the needed data in LDAP already ? """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-283115629 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#508][comment] Fix ipa.service unit re. gssproxy
URL: https://github.com/freeipa/freeipa/pull/508 Title: #508: Fix ipa.service unit re. gssproxy simo5 commented: """ Seemed worth fixing at the same time, but I won't insist. """ See the full comment at https://github.com/freeipa/freeipa/pull/508#issuecomment-282770785 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#514][opened] Limit sessions to 30 minutes by default
URL: https://github.com/freeipa/freeipa/pull/514 Author: simo5 Title: #514: Limit sessions to 30 minutes by default Action: opened PR body: """ When we changed the session handling code we unintentinally extended sessions expiraion time to the whole ticket lifetime of 24h. Related to https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <s...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/514/head:pr514 git checkout pr514 From 61d3244b77c293f786032e607417c1352de0aef0 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 27 Feb 2017 10:50:03 -0500 Subject: [PATCH] Limit sessions to 30 minutes by default When we changed the session handling code we unintentinally extended sessions expiraion time to the whole ticket lifetime of 24h. Related to https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <s...@redhat.com> --- install/conf/ipa.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 635bfe5..419d4e3 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -67,6 +67,7 @@ WSGIScriptReloading Off Session On SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION + SessionMaxAge 1800 GssapiSessionKey file:/etc/httpd/alias/ipasession.key GssapiDelegCcacheDir /var/run/ipa/ccaches -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][comment] Use IPA CA cert in Custodia secrets client
URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: Use IPA CA cert in Custodia secrets client simo5 commented: """ Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282282986 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][+ack] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server simo5 commented: """ So this is the reasoning and why I am approving this PR and not #494. When you build all components, including server bits, tests are installed, therefore when we build just client bits tets that are relevant to client bits also need to be installed for consistency. Any switch should default to the same behavior regardless of whether server build is enabled. It is confusing if the --with[out]-[ipa]tests switch changes default based on a different switch passed to configure. As far as I understand this PR maintains the same default for either server or client only builds, so it gets my approval. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281680804 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#485][opened] Fix session logout
URL: https://github.com/freeipa/freeipa/pull/485
Author: simo5
Title: #485: Fix session logout
Action: opened
PR body:
"""
There were 2 issues with session logouts, one is that the logout_cookie
was checked and acted on in the wrong place, the other is that the wrong
value was set in the IPASESSION header.
Fixes https://fedorahosted.org/freeipa/ticket/6685
Signed-off-by: Simo Sorce <s...@redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/485/head:pr485
git checkout pr485
From 85eb3103c04e6e125bdb1d09caed6a94580a7592 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Mon, 20 Feb 2017 12:38:11 -0500
Subject: [PATCH] Fix session logout
There were 2 issues with session logouts, one is that the logout_cookie
was checked and acted on in the wrong place, the other is that the wrong
value was set in the IPASESSION header.
Fixes https://fedorahosted.org/freeipa/ticket/6685
Signed-off-by: Simo Sorce <s...@redhat.com>
---
ipaserver/plugins/session.py | 2 +-
ipaserver/rpcserver.py | 8
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/ipaserver/plugins/session.py b/ipaserver/plugins/session.py
index 8e480ed..a049cd9 100644
--- a/ipaserver/plugins/session.py
+++ b/ipaserver/plugins/session.py
@@ -23,6 +23,6 @@ def execute(self, *args, **options):
else:
delattr(context, 'ccache_name')
-setattr(context, 'logout_cookie', '')
+setattr(context, 'logout_cookie', 'MagBearerToken=')
return dict(result=None)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index f5c520f..25f2740 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -434,6 +434,10 @@ def __call__(self, environ, start_response):
response = status.encode('utf-8')
headers = [('Content-Type', 'text/plain; charset=utf-8')]
+logout_cookie = getattr(context, 'logout_cookie', None)
+if logout_cookie is not None:
+headers.append(('IPASESSION', logout_cookie))
+
start_response(status, headers)
return [response]
@@ -639,10 +643,6 @@ def __call__(self, environ, start_response):
return self.marshal(None, CCacheError())
-logout_cookie = getattr(context, 'logout_cookie', None)
-if logout_cookie:
-self.headers.append(('IPASESSION', logout_cookie))
-
try:
self.create_context(ccache=user_ccache)
response = super(KerberosWSGIExecutioner, self).__call__(
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#468][synchronized] Remove non-sensical kdestroy on https stop
URL: https://github.com/freeipa/freeipa/pull/468
Author: simo5
Title: #468: Remove non-sensical kdestroy on https stop
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/468/head:pr468
git checkout pr468
From 7a8212217891ad2f9453b82d136cf30ad0b0dd74 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Wed, 15 Feb 2017 04:44:59 -0500
Subject: [PATCH] Remove non-sensical kdestroy on https stop
This kdestroy runs as root and wipes root's own ccachs ...
this is totally inappropriate.
Use a file ccache that ends up in the private tmp, so that if the
service is restarted the file is automatically removed.
https://fedorahosted.org/freeipa/ticket/6673
Signed-off-by: Simo Sorce <s...@redhat.com>
---
install/share/ipa-httpd.conf.template | 2 +-
ipaplatform/base/paths.py | 1 +
ipaplatform/debian/paths.py | 1 -
ipaplatform/redhat/tasks.py | 2 +-
4 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/install/share/ipa-httpd.conf.template b/install/share/ipa-httpd.conf.template
index 8822066..39bcfcc 100644
--- a/install/share/ipa-httpd.conf.template
+++ b/install/share/ipa-httpd.conf.template
@@ -1,7 +1,7 @@
# Do not edit. Created by IPA installer.
[Service]
+Environment=KRB5CCNAME=$KRB5CC_HTTPD
Environment=GSS_USE_PROXY=yes
Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG
ExecStartPre=$IPA_HTTPD_KDCPROXY
-ExecStopPost=$POST
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 8db9e61..9993c38 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -351,5 +351,6 @@ class BasePathNamespace(object):
IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab'
EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d'
GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf'
+KRB5CC_HTTPD = '/tmp/krb5cc-httpd'
path_namespace = BasePathNamespace
diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
index 5cbe9b8..ad0e13c 100644
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -89,7 +89,6 @@ class DebianPathNamespace(BasePathNamespace):
VAR_OPENDNSSEC_DIR = "/var/lib/opendnssec"
OPENDNSSEC_KASP_DB = "/var/lib/opendnssec/db/kasp.db"
IPA_ODS_EXPORTER_CCACHE = "/var/lib/opendnssec/tmp/ipa-ods-exporter.ccache"
-KRB5CC_HTTPD = "/var/run/apache2/ipa/krbcache/krb5ccache"
IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock"
IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 5bddd14..123595e 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -458,7 +458,7 @@ def configure_httpd_service_ipa_conf(self):
dict(
KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,
IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY,
-POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY)
+KRB5CC_HTTPD=paths.KRB5CC_HTTPD,
)
)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#468][synchronized] Remove non-sensical kdestroy on https stop
URL: https://github.com/freeipa/freeipa/pull/468
Author: simo5
Title: #468: Remove non-sensical kdestroy on https stop
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/468/head:pr468
git checkout pr468
From 4cec7509d7601c155e8182ad9cfdb4eecfc33c70 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Wed, 15 Feb 2017 04:44:59 -0500
Subject: [PATCH] Remove non-sensical kdestroy on https stop
This kdestroy runs as root and wipes root's own ccachs ...
this is totally inappropriate.
Use a file ccache that ends up in the private tmp, so that if the
service is restarted the file is automatically removed.
https://fedorahosted.org/freeipa/ticket/6673
Signed-off-by: Simo Sorce <s...@redhat.com>
---
install/share/ipa-httpd.conf.template | 2 +-
ipaplatform/base/paths.py | 1 +
ipaplatform/redhat/tasks.py | 2 +-
3 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/install/share/ipa-httpd.conf.template b/install/share/ipa-httpd.conf.template
index 8822066..39bcfcc 100644
--- a/install/share/ipa-httpd.conf.template
+++ b/install/share/ipa-httpd.conf.template
@@ -1,7 +1,7 @@
# Do not edit. Created by IPA installer.
[Service]
+Environment=KRB5CCNAME=$KRB5CC_HTTPD
Environment=GSS_USE_PROXY=yes
Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG
ExecStartPre=$IPA_HTTPD_KDCPROXY
-ExecStopPost=$POST
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 8db9e61..9993c38 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -351,5 +351,6 @@ class BasePathNamespace(object):
IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab'
EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d'
GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf'
+KRB5CC_HTTPD = '/tmp/krb5cc-httpd'
path_namespace = BasePathNamespace
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 5bddd14..123595e 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -458,7 +458,7 @@ def configure_httpd_service_ipa_conf(self):
dict(
KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,
IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY,
-POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY)
+KRB5CC_HTTPD=paths.KRB5CC_HTTPD,
)
)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#469][comment] Ignore unlink error in ipa-otpd.socket
URL: https://github.com/freeipa/freeipa/pull/469 Title: #469: Ignore unlink error in ipa-otpd.socket simo5 commented: """ @tiran I do not know, @npmccallum may know. """ See the full comment at https://github.com/freeipa/freeipa/pull/469#issuecomment-280656899 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
